Table of contents
Overview
RARLAB has recently disclosed and patched a critical vulnerability affecting WinRAR version 7.12 (and all prior versions) that allows specially crafted archives to perform directory traversal and write embedded payloads to unintended locations.
When unpacking a malicious archive, data contained within an alternate data stream of the compressed file can be written to a directory of the attacker’s choice, leading to potential execution and persistence on a victim’s machine.
This vulnerability has been assigned a CVSS score of 8.4 and has since been patched in WinRAR version 7.13.
CVE-2025-8088
When using an affected version of WinRAR to open a malicious archive, the WinRAR file explorer displays nothing out of the ordinary throughout the decompression process.
However, an alternate data stream within the compressed file holds two pieces of data: A directory traversal string held by the name of the stream and the contents of the malicious payload held by the stream data itself.
Although data streams are expected on NTFS filesystems, the name of this stream can be easily identified as malicious due to the clear directory traversal being taken in the form of “.\..\..\..\..\..\..\”, where other expected streams would be named “$DATA” (the default data stream) or “Zone.Identifier”, also known as the “mark of the web”.
When decompressing this file, WinRAR parses this data stream name as a local path, allowing the contents of this data stream to be written to an arbitrary location. Although this method does not directly execute written files, directories such as the Windows Startup folder can be written to, allowing for arbitrary execution on user logon.
Affected versions of WinRAR successfully decompress the expected file and show no indication of this vulnerability being exploited.
How to mitigate CVE-2025-8088 vulnerability
Critical vulnerabilities such as CVE-2025-8088 can be primarily mitigated by demonstrating caution when handling downloaded files and archives from unknown or untrusted sources.
Although a vulnerable version of WinRAR would not show any indication of compromise, applying a Zero Trust methodology at the first sign of possibly malicious files would allow a potential victim to steer clear of similar attacks.
Additionally, closely monitoring sensitive folders that allow for automated execution, such as the Windows Startup folder, would allow administrators to prevent malicious activity before significant damage is done to a machine and its network.
Recommendations for ThreatLocker customers
Application Control
ThreatLocker Application Allowlisting blocks applications that are not explicitly permitted by or identified during Learning Mode, such as vulnerable versions of WinRAR.
Additional explicit deny policies can be created to prevent the usage of high-risk applications, such as WinRAR, 7-Zip, MSBuild, or PSExec.
For applications that are high-risk but are required by business processes, permit policies with Ringfencing™ can be utilized to restrict what resources applications can interact with, such as certain files and directories, internet access, the registry, or executing other applications.
ThreatLocker Detect and Cyber Hero MDR
ThreatLocker Detect is a policy-based EDR solution that will identify and address known and unknown malicious activity almost instantly, in addition to enforcing policies, disconnecting compromised machines from the network, or activating lockdown mode.
Detect provides continuous visibility into post-exploitation behavior that vulnerabilities like CVE-2025-8088 are designed to enable. Even if a malicious payload is successfully written to disk, Detect will identify the suspicious activity and alert your security team before the attack progresses further.
For customers using Cyber Hero Managed Detection and Response, the Cyber Hero Team monitors detection events 24/7/365, validating threats, containing malicious activity, alerting customers, and guiding remediation in real time.
FAQs
Does exploiting CVE-2025-8088 automatically execute malware?
No. The vulnerability itself allows arbitrary file writes but does not directly execute payloads. However, attackers can write files to locations such as the Windows Startup folder to enable execution on user logon and establish persistence.
Why are alternate data streams significant in this attack?
Alternate data streams are a feature of NTFS filesystems. In this case, WinRAR incorrectly parses a malicious stream name containing directory traversal paths, treating it as a valid extraction location and writing the embedded payload outside the intended directory.
Can users detect this attack during extraction?
No. Affected versions of WinRAR extract the archive without displaying errors or warnings, and the malicious activity occurs silently in the background.
How can organizations reduce the risk of this vulnerability?
Organizations should update WinRAR to version 7.13 or later, avoid extracting archives from untrusted sources, and monitor sensitive directories that allow automated execution. Implementing application control and behavior-based detection further reduces exposure.
