Attachment: WinRAR CVE-2025-8088 exploitation

calendar Jan 12, 2026  ยท
Share on: linkedin copy

Detects attempts to exploit CVE-2025-8088 via attached RAR files

Sublime rule (View on GitHub)

 1name: "Attachment: WinRAR CVE-2025-8088 exploitation"
 2description: |
 3    Detects attempts to exploit CVE-2025-8088 via attached RAR files
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and any(attachments,
 9          // its a rar file
10          (
11            .content_type == "application/x-rar-compressed"
12            or .file_extension == "rar"
13            or .file_type == "rar"
14          )
15          // less than 10 meg
16          and .size < 10000000
17          // explode it
18          and any(file.explode(.),
19                  // contains a yara match
20                  any(.scan.yara.matches, .name == "WinRAR_CVE_2025_8088")
21          )
22  )  
23attack_types:
24  - "Malware/Ransomware"
25tactics_and_techniques:
26  - "Exploit"
27  - "Evasion"
28detection_methods:
29  - "Archive analysis"
30  - "File analysis"
31  - "YARA"
32id: "33b3a82b-0721-53b8-a5f2-d28e3d791b60"
to-top