Google warns WinRAR bug CVE-2025-8088 is in 'widespread' use by gov-backed actors

Google says a well-known, already-patched WinRAR vulnerability (CVE-2025-8088) is in "widespread, active" use by government-backed threat actors linked to Russia and China, the company warned. The exploit was identified in July last year and posted to the National Vulnerability Database in August.

Google and other bodies have noted the threat is widely known—numerous organisations, including the UK’s NHS, have registered the issue. One observed use of the WinRAR bug deposits malicious files in the Windows Startup folder to maintain persistence.

Google reported that one group exploiting the flaw targets the hospitality and travel sectors with phishing emails themed around hotel bookings. The firm said the activity highlights the continuing operational use of the bug despite the availability of a patch.

Google described the case as evidence of the "enduring danger posed by n-day vulnerabilities." N-day vulnerabilities are known security flaws for which patches or fixes exist—however, those patches only protect systems if they are actually applied.

The straightforward mitigation is to update WinRAR to the latest 7.13 build immediately and avoid opening WinRAR archives until you have done so, the report says. Until users apply the update, the vulnerability remains exploitable by the campaigns Google described.

cve-2025-8088, winrar vulnerability, already-patched winrar exploit, winrar 7.13 update, update winrar, apply winrar patch, avoid opening winrar archives, windows startup folder, malicious files startup folder, windows persistence, phishing hotel bookings, hospitality sector phishing, travel sector phishing, government-backed threat actors, russia-linked actors, china-linked actors, national vulnerability database, nvd entry august, nhs registered vulnerability, n-day vulnerabilities, exploit identified july, campaigns targeting hospitality