Google has issued a fresh warning over a critical security vulnerability in WinRAR, one of the most widely used file compression utilities on Windows, after researchers found it being actively exploited to gain unauthorised control over systems. The flaw allows attackers to place malicious files in sensitive system locations without the user’s knowledge, enabling persistent access to compromised machines.
The vulnerability, tracked as CVE-2025-8088, was first observed being exploited in July 2025. Although a fix has been available since July 30, 2025, security researchers say the flaw continues to be abused across multiple cyber campaigns, exposing users and organisations that have not updated their software.
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
How the flaw works
The vulnerability stems from a path traversal weakness in WinRAR that can be triggered through specially crafted archive files. When a user opens a malicious RAR file, hidden components are silently extracted to arbitrary locations on the system, bypassing user awareness and security expectations.
Researchers found that attackers frequently abuse this weakness to drop files directly into the Windows Startup folder, ensuring that malicious programs automatically execute each time the system restarts or a user logs in. This technique provides attackers with long-term persistence and control over the affected machine.
Wide range of attackers involved
Security teams have linked exploitation of the flaw to a broad spectrum of threat actors, including state-linked espionage groups and financially motivated cybercriminals. Campaigns attributed to Russia- and China-linked actors have targeted government, military and technology entities, while criminal groups have focused on businesses in sectors such as hospitality, banking and commercial services.
The attackers have used the vulnerability to deliver malware, steal credentials and establish covert backdoors on victim systems. Analysts noted that similar tactics were seen in earlier WinRAR exploits, underlining how attackers continue to rely on widely installed but slow-to-update software.
Use of hidden file techniques
Investigators observed that the attacks often rely on Alternate Data Streams (ADS), a feature of the Windows file system that can be misused to conceal malicious content. Victims opening the archive typically see what appears to be a harmless document—such as a PDF—while the malicious payload is quietly written elsewhere on the system.
In several cases, file names were crafted to appear legitimate while secretly containing executable components. Once planted in startup locations, these files run automatically without further user interaction, making detection difficult.
Targets span multiple regions
Campaigns exploiting the vulnerability have been observed across Eastern Europe, Asia and Latin America, with targets ranging from public institutions to private enterprises. Researchers said the continued spread of these attacks highlights the scale of risk posed by unpatched systems, particularly in environments where WinRAR is widely used for file exchange.
The pattern mirrors earlier exploitation of a WinRAR vulnerability disclosed in 2023, reinforcing concerns that known flaws remain attractive to attackers long after patches are released.
Patch available, but risk remains
Security experts have stressed that users and organisations running WinRAR versions earlier than 7.13 remain vulnerable. Despite public advisories and available updates, a significant number of systems have yet to apply the fix, leaving them exposed to active exploitation.
Google has advised users to keep security features such as Safe Browsing and email attachment scanning enabled, noting that these defences can help block files known to contain exploit code. However, experts caution that such measures should be viewed as supplementary, not a replacement for timely software updates.
Urgent call for updates
Cybersecurity professionals are once again urging organisations to prioritise patch management and regular software updates. “Attackers consistently exploit the gap between disclosure and patch adoption,” researchers noted, warning that delays can turn widely used tools into effective entry points for large-scale compromise.
As investigations continue, the warning serves as a reminder that even trusted, everyday software can become a significant security risk if left unpatched.
About the author – Ayesha Aayat is a law student and contributor covering cybercrime, online frauds, and digital safety concerns. Her writing aims to raise awareness about evolving cyber threats and legal responses.
