WinRAR CVE-2025-6218 Vulnerability Under Active Attack by Threat Groups

WinRAR vulnerability CVE-2025-6218 path traversal CISA KEV cybersecurity malware WinRAR exploit
Jim Gagnard
Jim Gagnard

Board Advisor

 
December 11, 2025 3 min read
WinRAR CVE-2025-6218 Vulnerability Under Active Attack by Threat Groups

TL;DR

  • This article details the active exploitation of WinRAR vulnerability CVE-2025-6218, a path traversal flaw allowing remote code execution. CISA has added it to its Known Exploited Vulnerabilities catalog, with threat actors like Bitter and Gamaredon leveraging it in attacks. The vulnerability was patched by RARLAB in WinRAR version 7.12.

WinRAR Vulnerability CVE-2025-6218 Under Active Attack

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a security flaw in WinRAR to its Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation.

Identified as CVE-2025-6218 (CVSS score: 7.8), the vulnerability is a path traversal bug that can lead to code execution if a user visits a malicious page or opens a malicious file. RARLAB patched the vulnerability in WinRAR 7.12 in June 2025, affecting only Windows-based builds.

Technical Details of CVE-2025-6218

CVE-2025-6218 is described as a path traversal vulnerability allowing attackers to execute code within the context of the current user. CISA notes that RARLAB WinRAR is affected. The vulnerability arises from improper handling of file paths within archive files, enabling a crafted file path to traverse to unintended directories. For more details, refer to the Zero Day Initiative advisory.

According to RARLAB, this flaw could be exploited to place files in sensitive locations, such as the Windows Startup folder, leading to unintended code execution upon system login. SecPod offers an analysis dissecting the exploit.

Threat Actors Exploiting the Vulnerability

Multiple threat actors are actively exploiting CVE-2025-6218, including:

  • GOFFEE (aka Paper Werewolf): This group may have exploited CVE-2025-6218 along with CVE-2025-8088 in attacks targeting organizations via phishing emails in July 2025, according to BI.ZONE.
  • Bitter (aka APT-C-08 or Manlinghua): Bitter APT has weaponized the vulnerability to establish persistence on compromised hosts and deploy a C# trojan using a lightweight downloader, as reported by SecPod. The attack involves a RAR archive containing a benign Word document and a malicious macro template. Foresiet details how the malicious archive drops a file named Normal.dotm into Microsoft Word's global template path, ensuring automatic execution of malicious macro code.
  • Gamaredon: This Russian hacking group has exploited CVE-2025-6218 in phishing campaigns targeting Ukrainian entities to infect them with the Pteranodon malware, as noted by Synaptic Security.

Gamaredon's Use of CVE-2025-6218 and Destructive Operations

Gamaredon has also abused CVE-2025-8088 to deliver malicious Visual Basic Script malware and deploy a wiper called GamaWiper. ClearSky reported this as the first instance of Gamaredon conducting destructive operations, moving beyond traditional espionage.

A security researcher known as Robin described the activity as a structured, military-oriented espionage and sabotage operation.

CISA Requirements and Remediation

In response to active exploitation, Federal Civilian Executive Branch (FCEB) agencies must apply necessary fixes by December 30, 2025, to secure their networks, as mandated by CISA. CISA's BOD 22-01 requires remediation of identified vulnerabilities by the due date to protect FCEB networks.

Mitigation Strategies

To defend against these types of attacks, Gopher Security recommends the following:

  • Ensure all software and devices are up to date.
  • Employ a real-time anti-malware solution with web protection.
  • Download software only from trusted sources.
  • Verify the legitimacy of unexpected attachments through a separate communication channel before opening them.
  • Exercise caution with files from unknown or untrusted sources.

Gopher Security specializes in AI-powered, post-quantum Zero-Trust cybersecurity architecture, converging networking and security across devices, apps, and environments. Our platform uses peer-to-peer encrypted tunnels and quantum-resistant cryptography to protect against advanced threats. Contact us today to learn more about how we can help secure your organization.

Jim Gagnard
Jim Gagnard

Board Advisor

 

30-year CEO experiences of leading multiple $MM exits. Excellent operator of managing big enterprise companies.

Related News

CVE-2025-15467: Critical OpenSSL RCE and DoS Vulnerability Overview
OpenSSL vulnerability

CVE-2025-15467: Critical OpenSSL RCE and DoS Vulnerability Overview

Urgent: OpenSSL 3.x vulnerable to CVE-2025-15467, enabling pre-auth RCE. Learn affected versions, impact, and immediate mitigation steps. Protect your systems now!

By Divyansh Ingle March 10, 2026 4 min read
common.read_full_article
SolarWinds Patches Critical Web Help Desk RCE Vulnerabilities Now
SolarWinds Web Help Desk

SolarWinds Patches Critical Web Help Desk RCE Vulnerabilities Now

Critical RCE & Auth Bypass flaws in SolarWinds Web Help Desk are fixed! Don't risk it. Update to v2026.1 now to protect your systems. Learn more.

By Edward Zhou March 9, 2026 4 min read
common.read_full_article
AI vs Human Hackers: Who Prevails in 2026 Pen Testing?
AI hacking

AI vs Human Hackers: Who Prevails in 2026 Pen Testing?

Discover the results of a groundbreaking study comparing AI agents and human hackers in web vulnerability exploitation. See who prevails and what it means for your security. Read now!

By Jim Gagnard March 6, 2026 6 min read
common.read_full_article
Vulnerability Exploits Lead Cyber Intrusions in 2026 Trends
vulnerability exploits

Vulnerability Exploits Lead Cyber Intrusions in 2026 Trends

Exploits are now the top intrusion method, outpacing phishing. Discover why rapid vulnerability patching is critical and how to bolster your defenses. Read more!

By Edward Zhou March 4, 2026 4 min read
common.read_full_article