๐ Overview: CVE-2025-8088 is a critical path traversal vulnerability in WinRAR v7.12 that can be exploited by creating specially crafted archives. This allows attackers to place malicious files in sensitive directories such as the Windows Startup folder, leading to code execution on system boot.
๐ง Summary:
- CVE ID:
CVE-2025-8088 - CVSS vector:
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N - Affected Software:
7.12 - Impact: Persistence, Full System Compromise with
privileges of the victim user
About the vulnerability:
CVE-2025-8088 is a path traversal flaw in WinRAR. It allows a specially crafted .rar file to place files outside the intended extraction folder including in sensitive locations like " %AppData%\Microsoft\Windows\Start Menu\Programs\Startup ". The vulnerability, tracked as CVE-2025-8088, uses alternate data streams (ADSes) for path traversal. Note that a similar path traversal vulnerability (CVEโ2025โ6218) affecting WinRAR was disclosed on June 19th, 2025, approximately a month earlier.
I tested this CVE on a Windows 10 virtual machine running inside VMware with WinRAR 7.12. To simulate real-world conditions. And used a python based script to create a malicious .rar (You can find it below References section - Thanks jordan).
๐งจ PoC (Proof of Concept):
๐ฅ Impact:
A successful attack allows remote code execution with the privileges of the victim user. By targeting the Startup folder, persistence is achieved, enabling execution on every system boot. While AV solutions may catch this through behavioral monitoring, the technique demonstrates how password-protected archives still pose risks.
๐ก๏ธ Mitigation:
- Update to the latest version of WinRAR immediately.
- Avoid extracting untrusted archives, especially those requiring passwords.
- Use endpoint security solutions with behavior-based detection, not just signature-based scanning.
- Restrict write permissions to critical folders like
Startup.