Directory Traversal Remote Code Execution Weakness in RARLAB WinRAR
CVE-2025-6218

7.8HIGH

Key Information:

Vendor

Rarlab

Status
Winrar
Vendor
CVE Published:
21 June 2025

Badges

📈 Score: 330👾 Exploit Exists🟡 Public PoC📰 News Worthy

What is CVE-2025-6218?

CVE-2025-6218 is a security vulnerability within RARLAB WinRAR, a widely used file compression and extraction tool that facilitates the management of archives. This particular vulnerability arises from improper handling of file paths, which can allow remote attackers to conduct directory traversal attacks. By exploiting this flaw, an attacker can potentially execute arbitrary code on a compromised system, but user interaction is necessary, as the victim must either visit a malicious webpage or open a specifically crafted file.

The issue primarily stems from the way WinRAR processes directory paths in archive files, which can inadvertently lead to the execution of code outside intended directory structures. This weakness is particularly serious because it opens the door for attackers to run malicious scripts and compromise the system using the privileges of the currently logged-in user.

Potential impact of CVE-2025-6218

  1. Remote Code Execution: The most critical impact of this vulnerability is its potential to allow an attacker to execute arbitrary code remotely. This capability can lead to significant control over the affected system, including the installation of malware or the exfiltration of sensitive data.

  2. User Interaction Requirement: Although the exploit requires user interaction, it still poses a threat, as users may not be aware of the risks associated with opening unknown files or visiting suspicious links. This reliance on user behavior can make organizations vulnerable to social engineering attacks.

  3. Broad System Compromise: Given WinRAR's widespread use in various environments, a successful exploit could lead to widespread system and network breaches within an organization. If compromised, an attacker could propagate malware throughout a company's infrastructure, leading to potential data loss, operational downtime, and financial repercussions.

Affected Version(s)

WinRAR 7.11 (64-bit)

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-6218-POC
Created by mulwareX

CVE-2025-6218
Created by ignis-sec

CVE-2025-6218-WinRAR-Directory-Traversal-RCE
Created by absholi7ly

News Articles

favicon imageHelp Net Security

Week in review: Backdoor found in SOHO devices running Linux, high-risk WinRAR RCE flaw patched - Help Net Security

Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Stealthy backdoor found hiding in SOHO devices running

2 weeks ago

favicon imageRed Hot Cyber

Warning! WinRAR: Critical Vulnerability That Could Run Malware

Discover WinRAR vulnerability that allows malware execution via archive extraction. Update to version 7.12 beta 1 now!

3 weeks ago

favicon imageBleepingComputer

WinRAR patches bug letting malware launch from extracted archives

WinRAR has addressed a directory traversal vulnerability tracked as CVE-2025-6218 that, under certain circumstances, allows malware to be executed after extracting a malicious archive.

3 weeks ago

References

https://www.zerodayinitiative.com/advisories/ZDI-25-409/
x_research-advisory
https://www.win-rar.com/singlenewsview.html?&tx_ttnews%5B...
vendor-advisory

CVSS V3.0

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by GBHackers News

  • Vulnerability published

.
CVE-2025-6218 : Directory Traversal Remote Code Execution Weakness in RARLAB WinRAR