Directory Traversal Remote Code Execution Weakness in RARLAB WinRAR
CVE-2025-6218
Key Information:
Badges
What is CVE-2025-6218?
CVE-2025-6218 is a security vulnerability within RARLAB WinRAR, a widely used file compression and extraction tool that facilitates the management of archives. This particular vulnerability arises from improper handling of file paths, which can allow remote attackers to conduct directory traversal attacks. By exploiting this flaw, an attacker can potentially execute arbitrary code on a compromised system, but user interaction is necessary, as the victim must either visit a malicious webpage or open a specifically crafted file.
The issue primarily stems from the way WinRAR processes directory paths in archive files, which can inadvertently lead to the execution of code outside intended directory structures. This weakness is particularly serious because it opens the door for attackers to run malicious scripts and compromise the system using the privileges of the currently logged-in user.
Potential impact of CVE-2025-6218
-
Remote Code Execution: The most critical impact of this vulnerability is its potential to allow an attacker to execute arbitrary code remotely. This capability can lead to significant control over the affected system, including the installation of malware or the exfiltration of sensitive data.
-
User Interaction Requirement: Although the exploit requires user interaction, it still poses a threat, as users may not be aware of the risks associated with opening unknown files or visiting suspicious links. This reliance on user behavior can make organizations vulnerable to social engineering attacks.
-
Broad System Compromise: Given WinRAR's widespread use in various environments, a successful exploit could lead to widespread system and network breaches within an organization. If compromised, an attacker could propagate malware throughout a company's infrastructure, leading to potential data loss, operational downtime, and financial repercussions.
CISA has reported CVE-2025-6218
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-6218 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.
The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
WinRAR 7.11 (64-bit)
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
The Hacker NewsCVE-2025-6218Warning: WinRAR Vulnerability CVE-2025-6218 Under Active Attack by Multiple Threat Groups
CISA warns WinRAR CVE-2025-6218 is under active attack by multiple threat groups, requiring federal fixes by Dec. 30, 2025.
17 hours ago
Security AffairsU.S. CISA adds Microsoft Windows and WinRAR flaws to its Known Exploited Vulnerabilities catalog
U.S. CISA adds Microsoft Windows and WinRAR flaws to its Known Exploited Vulnerabilities catalog.
19 hours ago
CyberSecurityNewsCVE-2025-6218APT-C-08 Hackers Exploiting WinRAR Vulnerability to Attack Government Organizations
APT-C-08 exploits new WinRAR flaw (CVE-2025-6218) to target South Asian governments, stealing sensitive data via malicious archives.
1 month ago
References
EPSS Score
8% chance of being exploited in the next 30 days.
CVSS V3.0
Timeline
- π°
Used in Ransomware
- π¦
CISA Reported
- π
Vulnerability started trending
- π‘
Public PoC available
- πΎ
Exploit known to exist
- π°
First article discovered by GBHackers News
Vulnerability published