A previously unknown security flaw in the popular file archiver WinRAR is being actively exploited by the Russia-aligned hacking group RomCom and other threat actors.
A security research by ESET, the vulnerability, a zero-day path traversal flaw, allows attackers to hide malicious files within a specially crafted archive. When an unsuspecting user attempts to extract the contents, the malicious files are silently deployed onto their system.
Security Research
The cyber espionage group RomCom has been observed using this exploit to deliver their custom malware. The attack is initiated when a user is lured into downloading and opening a malicious archive file. These files, often disguised as legitimate documents or software, can be delivered through various means, including phishing emails and malicious websites. Once the user opens the archive, the vulnerability is triggered, and the malware is installed without any further user interaction.
The vulnerability resides in the way WinRAR handles file paths, allowing attackers to write files to arbitrary locations on the victim’s computer. This can lead to the execution of malicious code, giving the attackers control over the compromised system.
Fixed And Release Patch
WinRAR has released a patch to address this critical vulnerability. All users are strongly urged to update their software to the latest version, 7.13, which was released on July 30th, 2025.
Key Impacts
Silent Malware Installation: The primary impact of this vulnerability is the ability for attackers to install malware on a victim’s system without their knowledge. This can lead to data theft, financial loss, and further network compromise.
Targeted Attacks: The use of this exploit by the RomCom group suggests that it is being used in targeted attacks against specific individuals and organizations. This could include government agencies, corporations, and political dissidents.
Widespread Risk: Given the popularity of WinRAR, a large number of users are potentially at risk. Any individual or organization that uses WinRAR for file compression and decompression should take immediate action to mitigate this threat.
Supply Chain Risk: The vulnerability also extends to software that uses the UnRAR.dll library, which is the command-line version of WinRAR. This means that other applications that rely on this library for unzipping files may also be vulnerable.
