WinRAR CVE-2025-6218 Vulnerability Under Active Attack by Threat Groups

WinRAR Vulnerability CVE-2025-6218 Under Active Attack

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a security flaw in WinRAR to its Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation.

Identified as CVE-2025-6218 (CVSS score: 7.8), the vulnerability is a path traversal bug that can lead to code execution if a user visits a malicious page or opens a malicious file. RARLAB patched the vulnerability in WinRAR 7.12 in June 2025, affecting only Windows-based builds.

Technical Details of CVE-2025-6218

CVE-2025-6218 is described as a path traversal vulnerability allowing attackers to execute code within the context of the current user. CISA notes that RARLAB WinRAR is affected. The vulnerability arises from improper handling of file paths within archive files, enabling a crafted file path to traverse to unintended directories. For more details, refer to the Zero Day Initiative advisory.

According to RARLAB, this flaw could be exploited to place files in sensitive locations, such as the Windows Startup folder, leading to unintended code execution upon system login. SecPod offers an analysis dissecting the exploit.

Threat Actors Exploiting the Vulnerability

Multiple threat actors are actively exploiting CVE-2025-6218, including:

• GOFFEE (aka Paper Werewolf): This group may have exploited CVE-2025-6218 along with CVE-2025-8088 in attacks targeting organizations via phishing emails in July 2025, according to BI.ZONE.
• Bitter (aka APT-C-08 or Manlinghua): Bitter APT has weaponized the vulnerability to establish persistence on compromised hosts and deploy a C# trojan using a lightweight downloader, as reported by SecPod. The attack involves a RAR archive containing a benign Word document and a malicious macro template. Foresiet details how the malicious archive drops a file named Normal.dotm into Microsoft Word's global template path, ensuring automatic execution of malicious macro code.
• Gamaredon: This Russian hacking group has exploited CVE-2025-6218 in phishing campaigns targeting Ukrainian entities to infect them with the Pteranodon malware, as noted by Synaptic Security.

Gamaredon's Use of CVE-2025-6218 and Destructive Operations

Gamaredon has also abused CVE-2025-8088 to deliver malicious Visual Basic Script malware and deploy a wiper called GamaWiper. ClearSky reported this as the first instance of Gamaredon conducting destructive operations, moving beyond traditional espionage.

A security researcher known as Robin described the activity as a structured, military-oriented espionage and sabotage operation.

CISA Requirements and Remediation

In response to active exploitation, Federal Civilian Executive Branch (FCEB) agencies must apply necessary fixes by December 30, 2025, to secure their networks, as mandated by CISA. CISA's BOD 22-01 requires remediation of identified vulnerabilities by the due date to protect FCEB networks.

Mitigation Strategies

To defend against these types of attacks, Gopher Security recommends the following:

• Ensure all software and devices are up to date.
• Employ a real-time anti-malware solution with web protection.
• Download software only from trusted sources.
• Verify the legitimacy of unexpected attachments through a separate communication channel before opening them.
• Exercise caution with files from unknown or untrusted sources.

Gopher Security specializes in AI-powered, post-quantum Zero-Trust cybersecurity architecture, converging networking and security across devices, apps, and environments. Our platform uses peer-to-peer encrypted tunnels and quantum-resistant cryptography to protect against advanced threats. Contact us today to learn more about how we can help secure your organization.