Google Threat Intelligence Group warned that a diverse and growing collection of attackers, including nation-state groups and financially motivated cybercriminals, are exploiting a path-traversal vulnerability affecting WinRAR that was disclosed and patched six months ago.

The high-severity vulnerability — CVE-2025-8088 — was exploited in the wild almost two weeks before RARLAB, the vendor behind the file archiver tool, addressed the vulnerability in a software update in late July. 

Active exploitation of the vulnerability has consistently extended to more threat groups during the past six months and remains ongoing. Google threat hunters have attributed attacks to at least three financially motivated attackers, four Russia state-sponsored groups and one attacker based in China. 

“Government-backed threat actors linked to Russia and China as well as financially motivated threat actors continue to exploit this n-day across disparate operations,” Google said in a threat intelligence report Tuesday. Researchers did not say how many attacks are linked to the vulnerability but described the activity as widespread.

Nation-state groups are consistently exploiting the defect to target victims in military, government and technology for espionage, researchers said. Groups backed by Russia are targeting Ukrainian military and government entities while the China-based attacker’s targets remain unknown. 

Cybercriminals are swarming to exploit the vulnerability, too. Google traced campaigns back to groups that previously targeted victims in Indonesia, Latin America and Brazil. Cybercrime groups exploited the vulnerability in December and January to deploy malware, including remote access trojans and infostealers.

Google published a timeline of observed exploitation depicting a broad set of attackers involved through October, but the majority of malicious activity since late 2025 is attributed to cybercriminals. 

Attacks share a common method of exploitation, which was rapidly adopted by a range of threat groups. 

“We are seeing both government-backed groups and financially motivated actors use the same exploitation method to achieve successful execution on target devices,” GTIG said in an email. “This mechanism of crafting a malicious RAR archive makes it more difficult for victims to determine they’ve been impacted, as they are shown a benign decoy file while in the background it silently drops a malicious payload into a critical system location such as Windows Startup folder.”

The malware requires no user interaction and because there are no obvious indicators of compromise, the malicious activity is very difficult to spot, researchers said.

Attackers of various objectives are flocking to the vulnerability, reminiscent of widespread exploitation of a previous WinRAR defect — CVE-2023-38831 — that Google’s Threat Analysis Group warned about in October 2023. 

“The barrier to entry for threat actors to abuse WinRAR vulnerabilities is low, as there are public ready-to-use tools to quickly craft and test malicious archives,” researchers said. Google urged organizations to install security updates for WinRAR and published indicators of compromise to help defenders hunt for malicious activity on their systems.

The post Cybercriminals and nation-state groups are exploiting a six-month old WinRAR defect appeared first on CyberScoop.

Federal authorities and researchers alerted organizations Friday to a massively exploited vulnerability in Fortinet’s web application firewall. 

While the actively exploited critical defect poses significant risk to Fortinet’s customers, researchers are particularly agitated about the vendor’s delayed communications and, ultimately, post-exploitation warnings about the vulnerability.

Fortinet addressed CVE-2025-64446 in a software update pushed Oct. 28, but did not assign the flaw a CVE or publicly disclose its existence until last week — 17 days later — when the company also confirmed the vulnerability has been exploited in the wild.

By then, for some Fortinet customers, especially those that hadn’t updated to FortiWeb 8.0.2, it was too late. The path-traversal defect in FortiWeb, which has a CVSS rating of 9.8, allows attackers to execute administrative commands resulting in a complete takeover of the compromised device.

Threat researchers from multiple firms, computer emergency response teams and the Cybersecurity and Infrastructure Security Agency issued warnings, with some including details about extensive attacks linked to the defect Friday. CISA also issued an alert and added the flaw to its known exploited vulnerability catalog Friday, requiring federal agencies to address the vulnerability within a short deadline of seven days.

A Fortinet spokesperson said the vendor’s product security incident response team began addressing the vulnerability as soon as it learned of the defect, and those efforts remain underway. “Fortinet diligently balances our commitment to the security of our customers and our culture of responsible transparency,” the spokesperson said in a statement. 

“With that goal and principle top of mind, we are communicating directly with affected customers to advise on any necessary recommended actions,” the spokesperson added.

Threat researchers at Defused first spotted the vulnerability and published a proof-of-concept exploit they detected Oct. 6. Researchers at watchTowr published technical analysis of the exploit and released a tool to help organizations hunt for potentially vulnerable hosts in their environments.

“Attacks have been widespread and indiscriminate according to shared evidence since at least early October — long before the industry was able to pull the fire alarm, and arguably exacerbated by the silence from Fortinet,” Ben Harris, founder and CEO at watchTowr, told CyberScoop.

Researchers haven’t identified or named victims yet, but attackers are exploiting the vulnerability to add new administrative accounts, likely achieving persistent privileged access on compromised devices. Threat hunters have not attributed the attacks to any cybercrime outfit, place of origin or motivation.

“Fortinet’s silent patching of the vulnerability — intentional or not — likely led many users not to apply the patch that actually fixed the vulnerability,” Harris said. “FortiWeb customers weren’t told about the critical, immediate risk of not applying these patches. Had they known, they would have likely updated right away. Now, anyone who didn’t patch is likely compromised.”

Information vacuum left researchers scrambling

The vulnerability falls under a gray area of definition — a less-important detail but one that underscores the difficulties third-party researchers confronted in mounting a proper and informed response. 

“Unless Fortinet is now fixing vulnerabilities by accident, by definition, it isn’t a zero-day, it’s a silently patched vulnerability and thus an n-day,” Harris said.

Yet, from a defender’s perspective this vulnerability functionally behaved as a zero-day, said Ryan Emmons, security researcher at Rapid7. “It was being exploited before customers had any formal awareness, guidance or patch information.”

Fortinet’s release notes for FortiWeb 8.0.2 don’t include any reference to specific vulnerabilities. 

“The challenge is that the security community builds its understanding through shared signals like public advisories, CVE assignments, behavioral descriptions, and clear remediation instructions. When those signals arrive late or in fragments, it slows the ability of researchers, vendors, and defenders to triangulate what’s actually happening,” Emmons said. 

“Attackers often have first-mover advantage, and defenders rely heavily on vendor transparency and cooperative industry coordination,” Emmons added. “When a vendor has knowledge of product flaws and a patch is published, it’s imperative that defenders are given a heads-up notice with as much actionable information as possible. Obscurity hurts defenders more than it impedes attackers.”

Researchers resoundingly criticized Fortinet for delaying its public disclosure of the vulnerability and a lack of urgency until active exploitation was already underway.

Fortinet’s belated CVE assignment compounded problems for defenders. “In the dark, information is scarce and delays are inherent, as defenders burn cycles trying to figure out what’s even going on,”  Emmons said. “This gives attackers a much stronger position.”

Security teams are already inundated with vulnerability patches. It’s not only unfeasible for them to address every defect and software update immediately, there’s also an operational impact risk to measure. Patches can break critical processes and integrations. 

“Many organizations, following standard change-control processes, understandably delayed patching. Meanwhile, it’s possible that Fortinet itself was unaware of the full severity of the issue and silently patched a flaw without realizing the risk it posed,” Harris said. “This combination left defenders at a disadvantage from the start.”

The post Fortinet’s delayed alert on actively exploited defect put defenders at a disadvantage appeared first on CyberScoop.