Two Russian state-linked cyber groups are reportedly leveraging a previously patched vulnerability in WinRAR to target Ukrainian government and military infrastructure, according to new research from Trend Micro. The flaw, identified as CVE-2025-8088, is a path traversal vulnerability rated 8.4 on the CVSS scale. Despite being patched nearly a year ago, attackers are still exploiting it to deploy credential-stealing malware.
Exploitation Tactics and Targets
The vulnerability allows attackers to manipulate file extraction paths, enabling them to place malicious files in arbitrary locations on a victim's system. Trend Micro’s analysis reveals that the groups, known as Gamaredon and APT28, are using this technique to deliver malware that can harvest login credentials and other sensitive data. These attacks are specifically aimed at Ukrainian defense sectors, highlighting the ongoing cyber warfare dynamics in the region.
Implications for Cybersecurity
This case underscores a critical issue in cybersecurity: the persistence of legacy vulnerabilities in widely used software. Even after patches are released, many organizations fail to update their systems promptly, leaving them exposed to known threats. The continued exploitation of CVE-2025-8088 demonstrates that attackers often target the weakest links in a defense chain, which may not always be the most sophisticated.
Security experts are urging organizations, especially those in high-risk sectors, to conduct immediate audits of their software systems and ensure all patches are applied without delay. As cyber threats evolve, the importance of maintaining up-to-date defenses cannot be overstated.
