Attachment: WinRAR CVE-2025-8088 exploitation
Detects attempts to exploit CVE-2025-8088 via attached RAR files
Sublime rule (View on GitHub)
1name: "Attachment: WinRAR CVE-2025-8088 exploitation"
2description: |
3 Detects attempts to exploit CVE-2025-8088 via attached RAR files
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and any(attachments,
9 // its a rar file
10 (
11 .content_type == "application/x-rar-compressed"
12 or .file_extension == "rar"
13 or .file_type == "rar"
14 )
15 // less than 10 meg
16 and .size < 10000000
17 // explode it
18 and any(file.explode(.),
19 // contains a yara match
20 any(.scan.yara.matches, .name == "WinRAR_CVE_2025_8088")
21 )
22 )
23attack_types:
24 - "Malware/Ransomware"
25tactics_and_techniques:
26 - "Exploit"
27 - "Evasion"
28detection_methods:
29 - "Archive analysis"
30 - "File analysis"
31 - "YARA"
32id: "33b3a82b-0721-53b8-a5f2-d28e3d791b60"