Update (2025-12-09): CISA added CVE-2025-6218 to its Known Exploited Vulnerabilities (KEV) catalog, with a remediation deadline of December 30, 2025. Three threat actors — GOFFEE (Paper Werewolf), Bitter (APT-C-08), and Gamaredon — are confirmed to be actively exploiting this flaw. Federal agencies and organizations following CISA BOD 22-01 are required to patch by the deadline.
WinRAR developers released an emergency security update to address CVE-2025-6218, a path traversal vulnerability enabling remote code execution (RCE) through specially crafted archive files. This flaw carries a CVSS score of 7.8 (High) and affects all WinRAR Windows versions prior to 7.12.
Understanding the Path Traversal Vulnerability
The vulnerability, discovered by security researcher whs3-detonator, represents a classic path traversal attack mechanism. This type of exploit allows attackers to access files and directories outside the intended extraction location by manipulating file paths within archive structures.
Malicious actors can craft weaponized archives containing files with modified relative paths, forcing WinRAR to extract content into unauthorized system directories. The most dangerous aspect of this vulnerability lies in its ability to place executable files directly into Windows startup folders, ensuring automatic execution during the next user login session without requiring any additional user interaction.
Affected Versions and Attack Surface
The security flaw impacts all Windows versions of WinRAR starting from version 7.11 and all previous releases. Beyond the main WinRAR application, the vulnerability also affects related components including RAR for Windows, UnRAR utility, and the UnRAR.dll library, extending to portable source code implementations.
Given WinRAR’s widespread adoption across Windows environments globally, security experts estimate that tens of millions of devices remain vulnerable to this attack vector. The fix has been implemented in WinRAR version 7.12 beta 1, released this month as an urgent security patch.
Attack Scenarios and Impact Assessment
While the malicious code executes with standard user privileges rather than administrative rights, attackers can still achieve significant compromise objectives through this vulnerability.
Data exfiltration capabilities represent the primary concern for security professionals. Threat actors can deploy malware designed to harvest browser-stored credentials, session cookies, form auto-fill data, and other sensitive user information stored on compromised systems.
The establishment of persistent access mechanisms enables cybercriminals to maintain long-term presence within victim networks. This includes creating covert communication channels with command-and-control infrastructure, facilitating ongoing surveillance and potential lateral movement activities.
Additional Security Improvements
The WinRAR 7.12 beta 1 update addresses a secondary vulnerability involving HTML injection flaws in report generation, discovered by security researcher Marcin Bobryk. This separate issue allowed attackers to inject arbitrary HTML and JavaScript code into WinRAR-generated reports by manipulating archive file names containing special HTML characters.
When users opened these compromised reports in web browsers, the embedded malicious scripts could execute, potentially leading to cross-site scripting attacks or information disclosure scenarios.
Systems running WinRAR 7.11 and earlier
All users of WinRAR for Windows versions 7.11 and earlier are at risk. This includes home users, enterprises, and government agencies. Related components — RAR for Windows, the UnRAR utility, and UnRAR.dll — are also affected. Linux/Unix and Android versions of WinRAR are not affected. Given WinRAR’s widespread adoption, millions of Windows systems remain exposed until patched.
Mitigation: Update Immediately
- Update WinRAR to version 7.12 or later — download from the official WinRAR website. Do not rely on automatic updates; verify the installed version manually.
- Do not open RAR archives from untrusted sources until the patch is applied — emails, downloads from unofficial sites, and file-sharing platforms are common delivery vectors.
- Organizations under CISA BOD 22-01: patch by December 30, 2025 per the KEV remediation deadline.
- Deploy endpoint detection rules for unusual writes to Windows startup folders (
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup) as an indicator of exploitation attempts. - Review WinRAR usage across the environment using software inventory tools; prioritize patching on endpoints handling external archive files (email gateways, download workstations).
