A recently fixed WinRAR vulnerability (CVE-2025-8088) was exploited as a zero-day in phishing attacks to install the RomCom malware. The flaw is a directory traversal vulnerability that allows attackers to extract files into a file path selected by the attacker, bypassing user-specified paths.
This vulnerability can be used to create archives that extract executables into autorun paths, such as the Windows Startup folder. When a user logs in, the executable will automatically run, allowing the attacker to achieve remote code execution. It is essential to note that WinRAR does not include an auto-update feature, making manual downloads and installations of the latest version crucial for protection.
The RomCom group, linked to ransomware and data-theft extortion attacks, has been actively exploiting this vulnerability in spearphishing emails with attachments containing RAR files. ESET researchers discovered the flaw and confirmed its exploitation in phishing attacks. To stay protected, users should download and install the latest WinRAR version from the official website.
Source: https://www.bleepingcomputer.com/news/security/winrar-zero-day-flaw-exploited-by-romcom-hackers-in-phishing-attacks