Two of the most widely used compression programs in the world, 7-Zip and WinRAR, have had to roll out emergency updates following the discovery of serious security vulnerabilities. In the case of WinRAR, it has been confirmed that a vulnerability was already being actively exploited by cybercriminals, while 7-Zip fixed a flaw that allowed manipulation of critical system files.
WinRAR under attack: active exploitation of CVE-2025-8088
The CVE-2025-8088 vulnerability, with a CVSS score of 8.8, affects the WinRAR compression program and allows attackers to execute arbitrary code through specially crafted malicious archive files. Researchers from ESET—Anton Cherepanov, Peter Košinár, and Peter Strýček—discovered that this “path traversal” flaw was already being exploited by the Russian group RomCom (also known as Paper Werewolf) in targeted phishing campaigns.
The issue allows, when extracting a file, earlier versions of WinRAR to be tricked into using a path defined in a specially crafted file, instead of the user-specified path. This vulnerability enables malicious files to cause WinRAR to save files to locations different from those intended by the user, such as the system’s startup folder.
Documented attacks by ESET took place between July 18 and 21, 2025, targeting financial, manufacturing, defense, and logistics companies across Europe and Canada for cyberespionage purposes. Evidence suggests that the Paper Werewolf group may have acquired the exploit from a Russian forum where an actor known as “zeroplayer” offered an alleged WinRAR zero-day vulnerability for $80,000.
The vulnerability has been patched in WinRAR version 7.13, released on July 31, 2025. However, the software does not have an automatic update mechanism, meaning users need to manually download and install the fix.
7-Zip: symbolic link manipulation in CVE-2025-55188
Meanwhile, 7-Zip addressed the CVE-2025-55188 vulnerability, with a CVSS score of 2.7, which could be exploited for arbitrary file writes due to the way the tool handles symbolic links during extraction. The code managing symbolic links was modified to improve security by adding the -snld20 parameter, which can be used to bypass default security checks when creating symbolic links.
In a potential attack scenario, a malicious actor could leverage this flaw to gain unauthorized access or execute code by manipulating sensitive files, such as overwriting SSH keys or the .bashrc file. The attack primarily targets Unix systems but could also be adapted for Windows with additional requirements.
This vulnerability was fixed in version 25.01 of 7-Zip, released on August 3, 2025.
Background on vulnerabilities in compression tools
This isn’t the first instance of serious vulnerabilities in compression software. In 2023, another WinRAR flaw (CVE-2023-38831, CVSS 7.8) was extensively exploited as a zero-day by threat actors from China and Russia. Google’s threat analysis group documented that state-backed actors from Russia and China exploited that earlier flaw.
Additionally, a recent vulnerability in 7-Zip, CVE-2025-0411 with a CVSS score of 7.0, was found allowing attackers to evade the Mark-of-the-Web protection mechanism. This was fixed in version 24.09, published on November 29, 2024.
Security recommendations
Cybersecurity experts recommend the following immediate actions:
- WinRAR: Upgrade immediately to version 7.13 or later
- 7-Zip: Upgrade to version 25.01 or later
- Avoid opening compressed files from unknown or suspicious senders
- Implement detection systems capable of identifying malicious behavior patterns
- Regularly verify the versions of compression software installed across organizations
Over 80% of organizations rely on archive tools like WinRAR, often underestimating the associated risks. This makes such vulnerabilities a particularly concerning attack vector for business-critical infrastructure.
Frequently Asked Questions
How can I verify which version of WinRAR or 7-Zip I have installed? In WinRAR, go to the “Help” menu > “About WinRAR” to see the version. In 7-Zip, open the program and navigate to “Help” > “About 7-Zip”. Secure versions are WinRAR 7.13+ and 7-Zip 25.01+.
Do these vulnerabilities affect other compression programs such as Windows native ZIP? No, these specific vulnerabilities (CVE-2025-8088 and CVE-2025-55188) affect only WinRAR and 7-Zip, respectively. Nonetheless, it’s advisable to keep all compression tools updated, as they have historically been attractive targets for cyberattacks.
Can I continue using RAR and 7Z files safely after updating? Yes, once upgraded to the patched versions (WinRAR 7.13+ and 7-Zip 25.01+), you can use these formats securely. However, always exercise caution with files from unknown sources and consider using updated antivirus software.
What is a “path traversal” attack and why is it dangerous? A path traversal attack allows an attacker to manipulate file paths to write or access files outside the intended directory. This can be dangerous because it may allow overwriting critical system files, installing malware in startup folders, or accessing sensitive information such as stored credentials.
Open-source alternatives as a secure solution
Given the recurring vulnerabilities in proprietary compression software, many security experts recommend switching to open-source alternatives which have demonstrated greater transparency and faster vulnerability fixes. Native Linux/Unix tools like gzip, bzip2, and xz offer notable advantages in security and performance.
7-Zip: the most robust free alternative
7-Zip has established itself as one of the best free, open-source alternatives, providing a compression ratio 2-10% better than PKZip or WinZip for ZIP and GZIP formats. It supports multiple formats including 7z, XZ, BZIP2, GZIP, TAR, ZIP, and WIM for compression, and can decompress ARJ, CAB, CHM, RAR, and others.
Notable features include AES-256 encryption in 7z and ZIP formats, the ability to create self-extracting archives, and full integration with Windows Explorer. As free software, it has official versions for multiple platforms and benefits from community scrutiny.
PeaZip: modern interface with broad compatibility
PeaZip is another excellent open-source option that compresses to 7Z, ARC, BZip2, GZip, PAQ, and PEA formats, creates self-extracting archives in TAR, WIM, XZ, and ZIP, and decompresses over 180 formats. It is available in portable versions, contains no ads or adware, and offers advanced security features like AES encryption and two-factor authentication.
Native Unix/Linux tools: maximum security
For technical users, native compression tools offer the best security and performance guarantees:
Gzip: While not the most optimal in compression, gzip offers the best balance of quality, speed, and resource use during compression and decompression. It’s the standard tool in Unix/Linux systems and has been extensively audited.
Xz/LZMA: Despite the 2024 security incident (CVE-2024-3094), the attack on xz-utils was quickly detected and fixed by the community before affecting production systems. XZ produces the smallest files, making it ideal for web publishing where bandwidth savings are prioritized.
Bzip2: Offers a middle ground, achieving better compression than Gzip with shorter processing times than XZ.
Emerging alternatives: NanaZip and Bandizip
NanaZip, based on the 7-Zip engine, presents itself as “the ultimate file compressor” with a modern interface fully integrated into Windows 11’s context menu. It retains 7-Zip’s power but enhances user experience significantly.
Bandizip supports over 30 formats, including the new RAR5, with an intuitive interface and notable stability. It features AES-256 encryption and is available both as free and professional versions.
Migration recommendations
For organizations seeking secure alternatives, experts recommend:
- Gradual migration: Start with 7-Zip or PeaZip as immediate replacements for WinRAR
- Standardization: Adopt open formats like 7z, ZIP, or TAR.XZ for corporate files
- Automation: Implement native Unix tools for automated backup workflows
- Training: Educate technical staff in command-line tools for critical tasks
The key advantage of open-source software is that vulnerabilities can be identified and fixed by anyone in the community, as demonstrated by the xz-utils case where engineer Andres Freund “almost by accident” discovered the backdoor before it impacted production systems.
Source: Security news