Google says a WinRAR exploit for Windows is in 'widespread' use by government-backed threat actors 'linked to Russia and China'

Google has warned that well-known and already-patched exploit for the WinRAR file archiving and compression tool for Windows remains in "widespread, active" use by "government-backed threat actors linked to Russia and China".

Known as critical vulnerability CVE-2025-8088, the exploit identified was in July last year and was posted on the National Vulnerability Database back in August. It's widely known and numerous other bodies, even including the UK's NHS, have registered the threat.

The exploit was actually addressed by the makers of WinRAR, RARLAB, with the 7.13 update on July 30 last year. Of course, that isn't going to help anyone running earlier versions of WinRAR.

As we understand it, the exploit works by concealing a malicious file within within the ADS of a decoy file in a WinRAR archive. When a user extracts the archive, the payload is saved to critical locations such as the Windows Startup folder via path traversal sequences and then automatically executes upon a machine restart.

Google says the bad guys involved include such favourites as "Russia-nexus" actors targeting the Ukrainian military, China-nexus actors exploiting the vulnerability to deliver the POISONIVY malware via a BAT file dropped into the Startup folder, which then downloads a dropper, and financially motivated hacking groups.

Among the latter, Google says one group targets hospitality and travel sectors using phishing emails around hotel bookings. Google concludes that this WinRAR bug just goes to show the "enduring danger posed by n-day vulnerabilities."

N-day vulnerabilities, of course, are known security flaws for which patches or fixes exist. The point being, again, that patches are only of any use with actual, ya-know, use.

All of which means the conclusion here is fairly straightforward. Happily, it's very easy to ensure you aren't at risk from this exploit.

If you use WinRAR and haven't updated to the latest 7.13 build, do that immediately. Until then, do not pass go. Do not open any WinRAR archive, no matter its provenance. And that's really it.