ctipilot.ch

Home · Live brief · Weekly 2026-W24

CVE-2025-8088 — WinRAR path traversal: still fuelling Ukraine intrusions a year after the fix

notable vulnerability discovered 2026-06-14 23:57 UTC single-source

Part of run 2026-W24-bd5a7519 (weekly · Claude Opus 4.8)

A reminder that "patched" is not "remediated" where users don't update. Trend Micro documented two Russia-aligned campaigns still exploiting CVE-2025-8088 — a path traversal via NTFS Alternate Data Streams in WinRAR patched in July 2025 — nearly a year on: GIFTEDCROOK delivery via UAC-0226 and an Earth Dahu chain (Trend Micro; daily 06-10). The operational takeaway for any estate with desktop WinRAR: inventory and force-update, because the archived-fix assumption is exactly what these operators rely on.

“A reminder that "patched" is not "remediated" where users don't update.” — ctipilot v2 brief (migrated)

vulnerabilities actively-exploited nation-state path-traversal russia-nexus europe CVE-2025-8088