A critical WinRAR flaw is now being used by hackers to push malware onto victims’ devices. Security firm ESET says the vulnerability, labeled CVE-2025-8088, allows attackers to take control of file extraction paths and execute harmful code. The Russian-aligned RomCom group is already targeting users through phishing campaigns.

How attackers exploit the WinRAR flaw

Normally, WinRAR extracts files to the folder a user selects. However, this flaw lets a malicious archive redirect files to a hacker’s chosen location. From there, the attacker can run rogue programs on Windows PCs, creating an open door for data theft and further infections.

Targeted phishing campaigns on the rise

ESET has tracked spearphishing emails carrying booby-trapped RAR files. Once opened, these archives use the vulnerability to install RomCom backdoors. Past versions of RomCom malware have stolen sensitive data, disabled security tools, and downloaded additional malicious software.

Key attack details:

• Delivered through phishing emails with RAR attachments
• Exploits CVE-2025-8088 to bypass safe extraction
• Linked to Russia-aligned RomCom hacking group

WinRAR patch available, but you must install it manually

WinRAR 7.13 Final contains the fix. However, because the program lacks automatic updates, users must download and install the patch themselves. Delaying the update leaves your system open to ongoing attacks.

Why you need to act now

Threat actors are already exploiting this flaw in the wild. Even careful users can be tricked by convincing emails. By updating immediately, you shut down an active infection route and protect sensitive files. The patch process is quick, but waiting could have lasting consequences.