- ESET found a high-severity bug in WinRAR being used by RomCom, a known Russian hacking collective
- The bug was being used to deploy backdoors allowing full access to compromised computers
- WinRAR says it has fixed the issue, so users should update now
Iconic archiving platform WinRAR carried a dangerous zero-day vulnerability which could have let hackers plant malware on compromised computers, security researchers are warning.
Recently, researchers from ESET discovered a directory traversal vulnerability in the latest version of WinRAR. The flaw is now tracked as CVE-2025-8088, and was given a severity score of 8.4/10 (high).
To make matters worse, hackers were seen abusing the flaw in the wild to drop RomCom’s malware variants.
Patching the bug
ESET’s researchers said the flaw was being abused in spear phishing attacks (highly targeted phishing attacks) by the Russian-speaking threat actor known as RomCom, a group known for running espionage and financially-motivated attacks.
Its usual targets include government, military, and critical infrastructure organizations, so spear phishing attacks would make perfect sense.
The group was using the bug to deploy backdoors which would give them full access to the compromised computers.
The group’s earliest sightings were in 2022, targeting entities across Europe and North America. It often spoofs legitimate software in its attacks, with the RomCom RAT being its flagship malware.
RomCom is also tracked by other security outfits under monikers Storm-0978, Tropical Scorpius, and UNC2596.
After the discovery, WinRAR released a patch to fix the flaw. The first clean version is 7.13.
“When extracting a file, previous versions of WinRAR, Windows versions of RAR, UnRAR, portable UnRAR source code and UnRAR.dll can be tricked into using a path, defined in a specially crafted archive, instead of user specified path,” WinRAR explained in its changelog. “Unix versions of RAR, UnRAR, portable UnRAR source code and UnRAR library, also as RAR for Android, are not affected.”
WinRAR is a type of program that doesn’t update automatically, so unless users uninstall it and download the latest version manually, they will remain vulnerable.
Via BleepingComputer
You might also like
https://cdn.mos.cms.futurecdn.net/QfeeSjEgohJ7KGzbRs6ktm.jpg
Source link
