CVE-2025-8088

HighCISA KEVActive Exploitation

Published: 08 August 2025

Published

08 August 2025

Modified

30 October 2025

KEV Added

12 August 2025

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0829 92.3th percentile

Risk Priority 43 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-8088 is a high-severity Path Traversal: '.../...//' (CWE-35) vulnerability in Microsoft Windows. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 7.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely patching of the WinRAR path traversal vulnerability to directly prevent arbitrary code execution from malicious archives.

SI-3 Malicious Code Protection good match

preventdetect

Deploys malicious code protection mechanisms to scan and block crafted RAR archives exploiting the path traversal vulnerability at entry points.

CM-11 User-installed Software good match

prevent

Prohibits or controls user installation of vulnerable third-party software like WinRAR, preventing deployment of exploitable applications.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

Path traversal enables arbitrary code execution via crafted malicious WinRAR archives requiring user interaction to open, directly facilitating client-side exploitation (T1203) and malicious file execution (T1204.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček…

from ESET.

Deeper analysisAI

CVE-2025-8088 is a path traversal vulnerability (CWE-35) affecting the Windows version of WinRAR, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). Published on 2025-08-08, it enables attackers to execute arbitrary code by crafting malicious archive files processed by the software.

Remote attackers without privileges can exploit the vulnerability by distributing malicious archives, requiring user interaction such as opening the file in WinRAR on a Windows system. Successful exploitation grants high-impact arbitrary code execution, compromising confidentiality, integrity, and availability.

Advisories from WinRAR and security analyses, including those from Ars Technica and Vicarius, detail detection and mitigation strategies; Vicarius specifically covers approaches using Software Restriction Policies (SRP) and Image File Execution Options (IFEO).

The vulnerability was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET and has been exploited in the wild, including for weeks by two groups as reported in related coverage.

Details

CWE(s): CWE-35
KEV Date Added: 12 August 2025

Affected Products

rarlab

winrar

≤ 7.13

dtsearch

≤ 2023.01

CVEs Like This One

CVE-2026-34621Same product: Microsoft Windowsboth on KEV

CVE-2025-2783Same product: Microsoft Windowsboth on KEV

CVE-2026-21510Same vendor: Microsoftboth on KEV

CVE-2025-24993Same vendor: Microsoftboth on KEV

CVE-2026-21513Same vendor: Microsoftboth on KEV

CVE-2026-3910Same product: Microsoft Windowsboth on KEV

CVE-2025-13223Same product: Microsoft Windowsboth on KEV

CVE-2026-3909Same product: Microsoft Windowsboth on KEV

CVE-2026-5281Same product: Microsoft Windowsboth on KEV

CVE-2025-10585Same product: Microsoft Windowsboth on KEV

References

https://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=283&cHash=a64b4a8f662d3639dec8d65f47bc93c5
Release Notes · security@eset.com
https://arstechnica.com/security/2025/08/high-severity-winrar-0-day-exploited-for-weeks-by-2-groups/
Press/Media Coverage · af854a3a-2127-422b-91ae-364da2661108
https://support.dtsearch.com/faq/dts0245.htm
Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
https://www.vicarius.io/vsociety/posts/cve-2025-8088-detect-winrar-zero-day
Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
https://www.vicarius.io/vsociety/posts/cve-2025-8088-mitigate-winrar-zero-day-using-srp-and-ifeo
Mitigation, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-8088
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/#the-discovery-of-cve-2025-8088
Press/Media Coverage · 134c704f-9b21-4f2e-91b3-4a467353bcc0