A threat actor, “zeroplayer,” has advertised an alleged zero-day Remote Code Execution (RCE) exploit for the WinRAR archiving software on a dark web forum. The asking price for the exploit is listed as $80,000.
Description:
On July 7, 2025, a threat actor identified as “zeroplayer” was spotted advertising an alleged zero-day exploit on the Russian-language dark web forum “Exploit.in”. The actor is offering an alleged fully functional Remote Code Execution (RCE) exploit for WinRAR. The exploit has an asking price of $80,000. In the post, “zeroplayer” emphasizes that this is a new vulnerability and is distinct from the recently patched CVE-2025-6218. As an aside, Obrela has observed a recent increase in malicious .rar and .zip archive files, which could indicate an expanded threat landscape related to archive vulnerabilities.
Affected Versions:
According to the threat actor’s claims, the exploit affects the latest and all previous versions of WinRAR.
Recommendations:
- Keep Software Updated: Ensure your WinRAR application is always updated to the latest version. While the seller claims this exploit affects the most recent release, maintaining up-to-date software is a crucial general security measure.
- Untrusted senders: Double check archives originating from untrusted senders and scan with at least 2 AV solutions.
- Monitor for Official Patches: Monitor for official announcements from RARLAB, the developers of WinRAR, and be prepared to apply a security patch as soon as one is released for this alleged vulnerability.
References:
- https://x.com/darkeye_team/status/1942514413128286681
- https://habr.com/ru/news/926072/
