Diverse threat actors exploiting critical WinRAR vulnerability (CVE-2025-8088)

Diverse threat actors exploiting critical WinRAR vulnerability (CVE-2025-8088) Source: Google Cloud Threat Intelligence cloud.google.com/blog/topi… The Google Threat Intelligence Group (GTIG) has identified widespread, ongoing exploitation of CVE-2025-8088, a critical vulnerability in WinRAR, a widely used file archiving utility for Windows. The flaw is being leveraged to establish initial access and deliver a range of malicious payloads. Discovered and patched in July 2025, the vulnerability continues to be exploited as an n-day by a broad set of adversaries. These include government-backed threat actors linked to Russia and China, as well as financially motivated cybercriminal groups operating across multiple, unrelated campaigns. The exploitation technique is consistent across observed activity and involves a path traversal flaw that enables attackers to place files into the Windows Startup folder, thereby achieving persistence. GTIG notes that the continued success of this technique highlights enduring gaps in basic application security controls and user awareness. In its blog post, GTIG provides an overview of CVE-2025-8088, details the typical exploit chain, outlines observed activity from both financially motivated and state-sponsored espionage actors, and supplies indicators of compromise (IOCs) to support detection and threat-hunting efforts.