Two critical vulnerabilities in WinRAR and 7-Zip demonstrate why it’s time to rethink our compression tools
In a world where millions of files are compressed and decompressed daily, two of the planet’s most ubiquitous applications have just delivered a brutal reminder about the fragility of digital infrastructure. WinRAR and 7-Zip, installed on hundreds of millions of computers, have had to release emergency patches after discovering vulnerabilities that, in the former’s case, were already being exploited by Russian cybercriminals.
The irony is palpable: tools designed to protect and organize our data have become entry points for sophisticated attackers. And while users rush to update their compressors, an uncomfortable question looms over the industry: how many of these “basic utilities” are actually secure?
WinRAR: when the past catches up with you
The CVE-2025-8088 vulnerability in WinRAR isn’t just a technical flaw; it’s the materialization of a structural problem. With a CVSS score of 8.8, this “path traversal” breach allows malicious files to rewrite the operating system’s folder map, placing executables where they can do the most damage.
ESET researchers—Anton Cherepanov, Peter Košinár, and Peter Strýček—discovered that the Russian group RomCom had turned this vulnerability into their weapon of choice between July and August 2025. The modus operandi was elegantly simple: phishing emails with RAR files that, when decompressed, deposited malware directly into the system’s startup folders.
But here’s the detail that should concern any systems administrator: there’s evidence that Paper Werewolf (another alias for RomCom) acquired the exploit on the black market. An actor known as “zeroplayer” had offered this zero-day vulnerability for $80,000 on Russian forums on July 7th. Three weeks later, the attacks began.
The arithmetic is simple and terrifying: $80,000 to potentially compromise millions of enterprise systems in Europe and Canada. The investment pays for itself in minutes.
7-Zip: the risk hiding in symbolic links
CVE-2025-55188 in 7-Zip, with its modest CVSS score of 2.7, might seem minor compared to WinRAR’s drama. But it would be a mistake to underestimate a vulnerability that allows manipulation of symbolic links during extraction.
In Unix systems, where a simple symbolic link can point to critical files like ~/.bashrc or ~/.ssh/authorized_keys, this vulnerability is a passport to persistence. An attacker could overwrite startup scripts or SSH keys, establishing permanent system access without triggering traditional alarms.
The fix arrived in 7-Zip 25.01 on August 3rd, introducing the -snld20 parameter to control symbolic link handling. But the fact that this vulnerability existed underscores an uncomfortable reality: even the most audited open-source software can harbor unpleasant surprises.
The emerging pattern
These aren’t isolated incidents. WinRAR already starred in CVE-2023-38831 in 2023, a CVSS 7.8 vulnerability that was massively exploited by Chinese and Russian state actors. 7-Zip, meanwhile, had to fix CVE-2025-0411 at the end of 2024, a breach that allowed bypassing Windows’ Mark-of-the-Web protections.
The pattern is clear: compressors have become priority targets because they combine ubiquity, elevated privileges, and users’ blind trust. Nobody suspects a ZIP file.
The reality table: performance vs. security
| Compressor | Type | Compression Ratio | Speed | Encryption | Latest Vuln. | Auto Update |
|---|---|---|---|---|---|---|
| WinRAR | Proprietary | ~40% of original | Fast | AES-256 | CVE-2025-8088 (Aug 2025) | ❌ |
| 7-Zip | Open Source | ~40% of original | Slow | AES-256 | CVE-2025-55188 (Aug 2025) | ❌ |
| PeaZip | Open Source | ~40% of original | Medium | AES-256 + 2FA | No recent known | ❌ |
| NanaZip | Open Source | ~40% of original | Slow | AES-256 | Inherited from 7-Zip | ❌ |
| Gzip | Open Source | ~70% of original | Very fast | ❌ | Historically stable | N/A |
| XZ | Open Source | ~20% of original | Very slow | ❌ | CVE-2024-3094* | N/A |
| Windows ZIP | Proprietary | ~70% of original | Fast | Basic | OS-linked | ✅ |
*CVE-2024-3094 was detected and fixed before reaching production
The table reveals an uncomfortable truth: there’s no perfect compressor. WinRAR offers speed but requires licensing and has a history of vulnerabilities. 7-Zip compresses better but is slower and also vulnerable. Open-source alternatives like PeaZip promise transparency but lack enterprise support ecosystems.
The special case of XZ: when open source turns against itself
The xz-utils incident in 2024 deserves special mention. CVE-2024-3094, with a perfect CVSS score of 10.0, demonstrated that even free software can be compromised from within. An apparently legitimate contributor named Jia Tan had spent two years gradually inserting malicious code into a fundamental tool for millions of Linux servers.
The backdoor was discovered “almost by chance” by Andres Freund, a Microsoft engineer, who noticed SSH anomalies during routine testing. Without this fortuitous detection, most Linux servers on the planet would have been compromised.
Paradoxically, this incident also demonstrated the strength of the open-source model: code transparency allowed the threat to be identified and corrected before causing massive damage.
Emerging alternatives
The rise of NanaZip
In the alternatives laboratory, NanaZip emerges as the natural heir. Based on 7-Zip’s engine but with an interface that belongs to the 21st century, this tool integrates natively with Windows 11’s modern context menu. For users who value both power and user experience, it represents logical evolution.
PeaZip: the comprehensive proposal
PeaZip addresses one of security’s blind spots: two-factor authentication for compressed files. While WinRAR and 7-Zip settle for passwords, PeaZip allows protecting files with the combination of password and key file, similar to how cryptocurrency wallets work.
Back to basics: native tools
For corporate use cases where security trumps convenience, Unix native tools offer a solid proposition:
- Gzip: Speed and stability proven over decades
- XZ: Maximum compression when bandwidth is critical
- Bzip2: The practical balance between speed and efficiency
These tools lack friendly graphical interfaces, but their simplicity is also their strength: less attack surface, fewer compromise vectors.
The roadmap for organizations
Immediate recommendations
- Urgent audit: Identify all WinRAR and 7-Zip installations
- Mass update: WinRAR 7.13+ and 7-Zip 25.01+ are non-negotiable
- File policies: Prohibit opening compressed files from unverified sources
Medium-term strategy
- Diversification: Don’t depend on a single compressor for the entire organization
- Automation: Integrate native tools into backup and deployment scripts
- Training: Educate technical teams on command-line alternatives
Long-term vision
The future probably belongs to hybrid solutions: native tools for automation, modern interfaces like NanaZip for end users, and strict validation protocols for any external files.
The final verdict
The vulnerabilities in WinRAR and 7-Zip aren’t just technical flaws; they’re symptoms of an ecosystem that has prioritized convenience over security for too long. RomCom paid $80,000 for an exploit because they knew millions of users blindly trust their compressors.
The question isn’t whether there will be more vulnerabilities—there will be—but whether we’ll be prepared when they arrive. Tool diversification, adoption of publicly audited software, and above all, religious updating of critical systems aren’t technological luxuries: they’re survival requirements in 2025.
In a world where compressing a file can compromise a server, paranoia is no longer a defect; it’s a feature.
Frequently Asked Questions
Should I immediately stop using WinRAR and 7-Zip? It’s not necessary to abandon them if they’re updated (WinRAR 7.13+ and 7-Zip 25.01+). However, consider diversifying with alternatives like PeaZip or NanaZip to reduce dependence on a single tool.
Are open-source tools more secure than proprietary ones? Not automatically, but they offer transparency that allows independent audits. The xz-utils case showed they can also be compromised, but detection and correction was faster than in comparable proprietary software.
Which alternative offers the best balance between security and ease of use? For Windows users, NanaZip combines 7-Zip’s power with a modern interface. For organizations, PeaZip offers advanced security features like two-factor authentication. For critical corporate cases, Unix native tools (gzip, xz) provide maximum stability.
Why do attackers focus so much on compression software? Compressors combine three attractive characteristics: they’re installed on almost all systems, handle external files without automatic verification, and users trust them without question. A successful WinRAR exploit is worth $80,000 because it can compromise millions of machines simultaneously.
Source: Noticias de seguridad
