YARA rules for CVE-2025-8088
1 rules · scoped to cve · back to CVE-2025-8088
YARA rules whose family, name, or description matches this cve or its tooling. Use these for binary-pattern hunts.
rule EXPL_RAR_Archive_with_Path_Traversal_Aug25 {
meta:
description = "Detects RAR archives abused for path traversal like CVE-2025-8088 and CVE-2025-6218"
reference = "https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/#the-discovery-of-cve-2025-8088"
author = "Arnim Rupp (Nextron Systems)"
date = "2025-08-11"
score = 70
hash = "2a8fafa01f6d3863c87f20905736ebab28d6a5753ab708760c0b6cf3970828c3"
hash = "dfab2f25c9d870f30bbc4abb873d155cf4904ece536714fb9cd32b2e0126dfab"
hash = "107f3d1fe28b67397d21a6acca5b6b35def1aeb62a67bc10109bd73d567f9806"
strings:
// Only look for the users Autostart folder because the most effective attack method
// Use \ and / to handle archives created on Windows and Linux
$s1 = "..\\\\..\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu"
$s2 = "..//../AppData/Roaming/Microsoft/Windows/Start Menu"
// CVE-2025-6218:
$s3 = "/.. /.. /AppData/Roaming/Microsoft/Windows/Start Menu/"
condition:
1 of ( $s* )
and (
uint16(0) == 0x4B50 // Yes, Winrar can chocke on ZIPs
or int32(0) == 0x21726152 // RAR
)
}