Google Warns of Active Exploitation of WinRAR Vulnerability CVE-2025-8088 (CVSS 8.8)
Estimated reading time: 7 minutes
- Critical Vulnerability: CVE-2025-8088 is a path traversal flaw in WinRAR allowing arbitrary code execution with a CVSS score of 8.8.
- State-Sponsored Activity: Actors from Russia (Sandworm, Gamaredon, Turla) and China are actively exploiting this flaw to deploy malware like SnipBot and Poison Ivy.
- Immediate Action Required: Organizations must update to WinRAR version 7.13 or higher and monitor the Windows Startup folder for unauthorized file creation.
- Broad Threat Landscape: Concurrent zero-days in n8n automation and Fortinet SSO systems highlight a concentrated effort to compromise supply chains and network perimeters.
Table of Contents
- Technical Analysis of the WinRAR Exploitation Vector
- The Underground Marketplace and Commodity Exploits
- Concurrent Vulnerabilities: n8n Sandbox Escapes
- Fortinet SSO Bypass: CVE-2026-24858
- Practical Takeaways for Technical Teams
- Practical Takeaways for Business Leaders
- The Role of PurpleOps in Mitigating Modern Threats
- Frequently Asked Questions (FAQ)
Google Threat Intelligence Group (GTIG) has issued a technical alert regarding the active exploitation of a critical vulnerability in RARLAB WinRAR, identified as CVE-2025-8088. This security flaw, which carries a CVSS score of 8.8, is currently being leveraged by a diverse range of threat actors, including state-sponsored groups from Russia and China, as well as financially motivated cybercriminals. The vulnerability allows for arbitrary code execution when a user opens a specially crafted archive file.
The primary mechanism of CVE-2025-8088 is a path traversal flaw. When a target opens a malicious RAR archive, the vulnerability allows the application to drop files into sensitive directories, most notably the Windows Startup folder. By placing a malicious payload in this directory, attackers ensure persistence; the code executes automatically every time the user logs into the system. Despite a patch being available since July 30, 2025 (WinRAR version 7.13), the widespread use of legacy versions has created a significant gap in defensive posture.
Analysis by GTIG and ESET indicates that exploitation began as a zero-day as early as July 18, 2025. Initial activity was attributed to the RomCom group (also tracked as CIGAR or UNC4895), a threat cluster known for both espionage and financial extortion. RomCom used the flaw to distribute SnipBot (also known as NESTPACKER) malware. This group’s activities often intersect with the operators of Cuba Ransomware and the Industrial Spy data extortion marketplace, demonstrating a high level of coordination between different tiers of the cybercrime ecosystem.
Technical Analysis of the WinRAR Exploitation Vector
The exploitation chain typically utilizes Windows shortcut (LNK) files concealed within the Alternate Data Streams (ADS) of a decoy file inside the archive. This technique effectively hides the malicious payload from basic file system inspections. When the user interacts with the archive, the path traversal flaw triggers the extraction of the LNK file to the Windows Startup folder.
Several Russian-aligned threat actors have integrated this vulnerability into their operational toolsets:
- Sandworm (APT44/FROZENBARENTS): This group has used the flaw to deliver decoy documents with Ukrainian filenames, paired with LNK files designed to initiate secondary downloads.
- Gamaredon (CARPATHIAN): Frequently targeting Ukrainian government entities, Gamaredon uses malicious RAR archives containing HTML Application (HTA) files. These HTA files function as downloaders for subsequent stages of infection.
- Turla (SUMMIT): This actor has deployed the STOCKSTAY malware suite through lures focused on Ukrainian military drone operations, utilizing the WinRAR flaw for initial execution.
In addition to Russian groups, China-based actors have weaponized CVE-2025-8088 to deploy the Poison Ivy remote access trojan (RAT). Their method involves dropping a batch script into the Startup folder, which then downloads a dropper to finalize the compromise.
The financial sector has also seen targeted attacks. A cybercrime group focusing on Brazilian banking users utilized the WinRAR vulnerability to deliver a malicious Chrome extension. This extension is capable of JavaScript injection into banking sites to facilitate credential theft. These diverse applications of a single vulnerability underscore the necessity for a comprehensive cyber threat intelligence platform that can track cross-sector exploitation trends.
The Underground Marketplace and Commodity Exploits
The rapid adoption of CVE-2025-8088 is driven by the commoditization of exploits in the underground economy. GTIG identified an upstream supplier operating under the alias “zeroplayer,” who marketed a WinRAR exploit in the weeks preceding public disclosure. Such suppliers reduce the technical threshold for entry, allowing less sophisticated actors to deploy advanced payloads like AsyncRAT and XWorm via Telegram bot-controlled backdoors.
This commoditization necessitates the use of a dark web monitoring service to identify when new vulnerabilities are being traded or when specific organizational assets are mentioned in underground forums. Identifying these early indicators of interest allows organizations to prioritize patching and monitoring before a mass-exploitation campaign begins. Access to underground forum intelligence provides the context needed to understand which threat actors are purchasing these tools and what their likely targets will be.
Concurrent Vulnerabilities: n8n Sandbox Escapes
The threat landscape in early 2026 is further complicated by vulnerabilities in workflow automation tools. Researchers at JFrog recently disclosed two high-severity flaws in the n8n platform:
- CVE-2026-1470 (CVSS 9.9): An eval injection vulnerability that allows authenticated users to bypass the Expression sandbox. This leads to full remote code execution on the main n8n node.
- CVE-2026-0863 (CVSS 8.5): A similar injection flaw in the python-task-executor, allowing for arbitrary Python code execution on the underlying operating system.
These vulnerabilities are particularly dangerous because n8n often holds sensitive credentials, including LLM APIs, sales data, and IAM system access. A compromise of an n8n instance can serve as a “skeleton key” for an entire corporate infrastructure. This emphasizes the importance of supply-chain risk monitoring, as third-party automation tools can become central points of failure. Organizations using such platforms must ensure they are operating in “external” execution mode to provide proper isolation between the application and task runner processes.
Fortinet SSO Bypass: CVE-2026-24858
Network perimeter security has also been challenged by a critical zero-day in Fortinet products. Identified as CVE-2026-24858 (CVSS 9.4), this flaw allows attackers with a valid FortiCloud account to bypass Single Sign-On (SSO) authentication and access devices associated with other accounts.
The vulnerability was actively exploited in the wild before Fortinet temporarily suspended FortiCloud SSO services on January 26, 2026. Attackers were observed creating new local administrative accounts on FortiGate firewalls, even on systems that were otherwise fully patched. This incident demonstrates that even when breach detection systems are in place, authentication bypasses at the perimeter can lead to rapid unauthorized access.
The surge in these types of attacks highlights the need for real-time ransomware intelligence and live ransomware API integrations. When a perimeter device like a firewall is compromised, the time between initial access and the deployment of ransomware is often measured in hours. Organizations must have automated systems to detect these anomalies instantly.
Practical Takeaways for Technical Teams
- WinRAR Update and Audit: Immediately update all WinRAR installations to version 7.13 or higher. In environments where WinRAR is not strictly necessary, consider transitioning to the native archive support provided by modern operating systems or using alternative open-source tools with centralized update mechanisms.
- Startup Folder Monitoring: Implement file integrity monitoring (FIM) or specific EDR rules to alert on any new file creation within the
\Microsoft\Windows\Start Menu\Programs\Startupdirectory. This is a primary persistence mechanism for the WinRAR exploit. - n8n Configuration: If using n8n, ensure the platform is configured to “external” execution mode. Update to versions 1.123.17, 2.4.5, or 2.5.1 (for CVE-2026-1470) and 1.123.14, 2.3.5, or 2.4.2 (for CVE-2026-0863).
- FortiOS Remediation: For organizations using Fortinet devices, verify that the latest firmware is installed. If patching is delayed, manually disable the “Allow administrative login using FortiCloud SSO” setting in the FortiCare registration GUI to mitigate CVE-2026-24858.
- ADS Inspection: Configure security tools to scan for Alternate Data Streams in downloaded archives. Attackers use ADS to hide malicious LNK and executable files from standard file explorers.
Practical Takeaways for Business Leaders
- Vulnerability Management Policy: Shift from a periodic patching cycle to a risk-based approach. The exploitation of CVE-2025-8088 as an “n-day” months after a patch was released shows that legacy software remains a high-value target.
- Review Third-Party Access: Audit the permissions granted to automation tools like n8n. Ensure that these platforms only have the minimum necessary access to corporate data and internal systems.
- Brand Protection: Utilize brand leak alerting to identify if corporate credentials or sensitive configuration files have been exposed on public or underground platforms.
- Communication Channels: Be aware that threat actors are increasingly using non-traditional channels for command and control. Integration of telegram threat monitoring into your security operations can help identify C2 traffic that might otherwise blend in with legitimate business communication.
The Role of PurpleOps in Mitigating Modern Threats
The current threat environment requires a multi-layered defense strategy that extends beyond simple patching. At PurpleOps, we provide the specialized tools and expertise necessary to navigate these complex vulnerabilities. Our cyber threat intelligence services offer deep visibility into actor motivations and early-stage exploit development, allowing your team to move from a reactive to a proactive security posture.
For organizations concerned about their external attack surface, our Dark Web Monitoring service provides continuous surveillance of underground forums, identifying the sale of exploits or the leakage of corporate data before they result in a full-scale breach. We track suppliers like “zeroplayer” and monitor the distribution of commodity malware families to provide you with actionable intelligence.
Furthermore, our and Red Team Operations services simulate the exact tactics used by groups like Sandworm and RomCom. By testing your defenses against path traversal attacks and sandbox escapes in a controlled environment, we identify gaps in your security controls before threat actors can exploit them.
The vulnerabilities in n8n and Fortinet highlight the critical nature of Supply Chain Information Security. We help organizations assess the risk profiles of their third-party software and automation platforms, ensuring that your core infrastructure remains protected even when upstream vulnerabilities are discovered.
To better protect your organization against ransomware and advanced persistent threats, our Protect Against Ransomware services integrate the latest intelligence into your defensive architecture. Whether it is responding to a zero-day in a perimeter firewall or securing your internal automation workflows, PurpleOps provides the technical depth required to maintain operational resilience.
The exploitation of CVE-2025-8088 and the concurrent flaws in n8n and FortiOS demonstrate a concentrated effort by threat actors to exploit authentication and persistence mechanisms. These are not isolated incidents but part of a broader trend where known vulnerabilities are rapidly commoditized. Effective defense requires a combination of timely patching, rigorous configuration management, and the use of advanced Cyber Threat Intelligence to anticipate the next move of both state-sponsored and criminal adversaries.
For more information on how to secure your infrastructure against these vulnerabilities or to learn more about our Platform and PurpleOps Solutions, contact PurpleOps today. Our team of analysts and engineers is ready to help you strengthen your security posture and defend against the latest cyber threats.
Frequently Asked Questions (FAQ)
1. What is the primary risk of CVE-2025-8088 in WinRAR?
The vulnerability is a path traversal flaw that allows attackers to write malicious files into sensitive directories like the Windows Startup folder. This enables arbitrary code execution and persistence whenever a user opens a specially crafted RAR archive.
2. Which WinRAR version is safe to use?
Users should update to WinRAR version 7.13 or higher immediately. Versions prior to this remain vulnerable to active exploitation.
3. How are threat actors hiding malicious files within archives?
Attackers are utilizing Alternate Data Streams (ADS) to conceal malicious Windows shortcut (LNK) files within decoy documents, making them invisible to standard file system browsers while remaining functional for exploitation.
4. What are the n8n vulnerabilities disclosed recently?
CVE-2026-1470 and CVE-2026-0863 involve sandbox escapes in the n8n automation platform, potentially giving attackers remote code execution and access to sensitive corporate credentials and LLM APIs.
5. What should Fortinet users do regarding CVE-2026-24858?
Beyond updating to the latest firmware, organizations should manually disable administrative logins using FortiCloud SSO to prevent attackers from bypassing authentication and creating unauthorized local accounts.