WinRAR is present and undermanaged on endpoints across most enterprises. Its install base rarely updates, and attackers exploit that. CVE-2025-8088 is still landing nearly a year after disclosure. The more useful point is what came before that CVE: WinRAR's runtime behavior and CWE history flagged it as high-risk long before the CVE was assigned. That is the case for treating runtime evidence as a leading indicator, rather than waiting on a CVE feed. Like many tools built by a handful of developers but deployed at global scale, WinRAR accrues security debt a small team can never fully pay down.
Threat actors take notice. A widely deployed application whose users care that it works, not whether it is current, is exactly the target profile they look for.
At Spektion, we see more than which applications are installed and how many CVEs apply to them. We observe update cadence and how applications like WinRAR actually behave at runtime. Instead of waiting on a published CVE, we build detections for the CWE patterns that have repeatedly produced CVEs, so we can flag an application's exposure before a specific CVE exists. The result is a complete picture: organizations can decide whether to allow an application, and how to mitigate the risk if they do.
This Application Spotlight covers the origins and history of WinRAR, the vulnerabilities that have impacted and continue to impact the product, and the runtime weaknesses we observed that may forecast future CVEs or associated risk.
WinRAR, the Windows implementation of Eugene Roshal's RAR (Roshal ARchive) format, was first released in 1995. It began as a standalone utility that outperformed competing compression tools of the era. It was not until February 2002 that Win.rar GmbH was formed to handle the business end of what would become an application that would reach more than 500 million users over its lifetime.
When the first commercial version was released, it used the now-infamous 40-day trial period. Unlike other tools that have utilized this model, the application continued to work even after the trial period had expired. Because it was effectively free, it spread far beyond the users who would ever buy a license. Competitors came and went (PKZIP, WinZip, WinACE, later 7-Zip), but none displaced WinRAR's entrenched install base.
As of June 2026, 29 published vulnerabilities impact WinRAR. The published CVEs break down as follows:
Out of the 29 total CVEs, 15 met the criteria of a CVSS v3 score of 7.5 or greater. To understand an application's risk, look past the raw CVE count to the weakness classes behind it, and whether they trend. In this instance, the most prominent CWE is CWE-787 (out-of-bounds write), the common weakness representative of when an application writes data past its intended memory boundaries.
The most common weakness class on paper is not the one attackers use. CWE-787 leads the count, but every documented campaign against WinRAR since 2018 has run through path traversal (CWE-22, CWE-35, CWE-36), the way WinRAR handles attacker-supplied archive contents.
There have been several campaigns that have taken advantage of high-severity vulnerabilities that impact this application, not only because of the vulnerabilities, but also because they know they can count on a large portion of the user base running a vulnerable version.
From a threat actor perspective, whoever they are targeting is probably a WinRAR user, and probably running an old version because they have never updated, because nothing forces them to. As multiple sources have recently outlined, CVE-2025-8088 is still being actively exploited even though the CVE was published August 8, 2025.
Recent reporting related to campaign usage of CVE-2025-8088:
Four WinRAR CVEs have driven real-world campaigns:
At the time this vulnerability was published, WinRAR was still supporting the ACE archive format using an outdated third-party library, UNACEV2.dll. Using WinRAR, an attacker could write a malicious file outside the target extraction location, to a path of their choosing. In one documented campaign, the attacker wrote a file to the Windows startup folder and then convinced the end user to restart the system, causing the malicious file to execute.
The most consequential WinRAR vulnerability in years: exploited as a zero-day against financial traders for months before disclosure, then adopted by both state-sponsored and crimeware operators. A crafted archive runs attacker code when the victim opens what looks like a benign file.
This is a variant of CVE-2025-6218 that abuses NTFS Alternate Data Streams (ADS) rather than traditional path-traversal sequences: the archive shows a harmless decoy file while hidden ADS entries carry the traversal payload. To further illustrate this vulnerability and how it functions, we recreated the exploitation chain documented by Trend Micro.
Runtime weaknesses highlight exploitable behavior that legacy vulnerability tools are not built to detect. CVEs matter, but they are a lagging indicator since they describe weaknesses someone already found, disclosed, and cataloged. Our analysis found 7 runtime weaknesses in WinRAR, based on how it behaves in our customer environments and in local testing.
One of the runtime weaknesses we identified with WinRAR is its creation of a remotely accessible named pipe. In this instance, the pipe it creates is winrar_pipe_*.
Example Spektion log excerpt highlighting this behavior:
"process_path":"C:\\Program Files\\WinRAR\\WinRAR.exe",
{"dwPipeMode":"0x0","filePath":"\\\\.\\pipe\\winrar_pipe_12345"}We have previously outlined the risks associated with named pipes here.
Every version of an application behaves differently. A new feature can introduce new risks; a vendor fix can remove one.
Spektion scores risk on the context of execution and what an application actually does, not the CVE list alone. The snippet below shows that no two versions, even of the same application, carry the same risk.
If you are a Spektion customer, WinRAR is already graded and flagged by its runtime behavior and version with no manual hunting required. If you are not yet a customer, you can search for these artifacts yourself.
The most common files associated with this application are:
Search for the creation of this named pipe:
Search for this mutant:
Once you have found it, check the version. Anything below 7.13 is exposed to CVE-2025-8088, and with no auto-updater, found once is not patched forever.
WinRAR is the most popular archiver application in the world. Due to its lack of an update mechanism, lack of centralized management, and ability to be installed in any directory on a given system, most organizations either do not know employees are running outdated versions or lack the data to decide whether the application belongs in their environment at all. This application will continue to be a prime target for threat actors due to its popularity and the continued discovery of high-risk CVEs that impact it.
Based on our analysis, WinRAR should have been flagged for removal, or at least mitigated, even before the campaign CVEs were published. The published CVEs are only part of the picture. Runtime weaknesses should be treated as a higher-fidelity signal than the absence of a CVE while waiting for the next disclosure. Our runtime telemetry and the consistent CWE trends make it clear: this application will keep presenting risk before the next CVE is assigned.
Most platforms force you to wait until a CVE is published to know your attack surface. WinRAR is likely in your environment right now, and the next CVE against it is coming. The only question is whether you wait for a vendor advisory or identify it earlier from your own telemetry.
Many exploitable weaknesses never get a CVE. Book a runtime exposure assessment and Spektion will show what's actually exploitable across your endpoints.