Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a security flaw impacting the WinRAR file archiver and compression utility to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2025-6218 (CVSS score: 7.8), is a path traversal bug that could enable code execution. However, for exploitation
Analysis Summary
# Vulnerability: WinRAR Path Traversal Leading to Code Execution
## CVE Details
- CVE ID: CVE-2025-6218
- CVSS Score: 7.8 (High)
- CWE: Path Traversal
## Affected Systems
- Products: WinRAR file archiver and compression utility
- Versions: All versions prior to WinRAR 7.12.
- Configurations: Affects only Windows-based builds. Unix and Android versions are not affected.
## Vulnerability Description
CVE-2025-6218 is a path traversal vulnerability within RARLAB WinRAR. If successfully exploited, an attacker can execute code in the context of the current user. The exploitation mechanism allows an attacker to place files in sensitive locations, such as the Windows Startup folder, which could lead to unintended code execution upon the next system login. Exploitation success requires the target to open a malicious file (e.g., a specially crafted RAR archive delivered via phishing) or visit a malicious page.
## Exploitation
- Status: Exploited in the wild (Added to CISA KEV catalog)
- Complexity: Medium (Requires user interaction: opening a malicious file)
- Attack Vector: Local (Code executes in the user's context after archive processing)
## Impact
- Confidentiality: Medium/High (Potential access to user data via subsequent malware execution)
- Integrity: High (Ability to place arbitrary files, leading to persistence mechanisms like dropping files in the Startup folder)
- Availability: Medium (Potential for malware execution disrupting system operations)
## Remediation
### Patches
- **WinRAR version 7.12** (Patched in June 2025)
### Workarounds
- No specific vendor workarounds were provided beyond patching. Users should avoid opening suspicious RAR archives received via email or other untrusted sources.
## Detection
- **Indicators of Compromise (IoCs):** Threat actors (GOFFEE, Bitter, Gamaredon) have been observed using malicious RAR archives leveraging this vulnerability to drop payloads (e.g., C# trojans, Pteranodon malware). Look for file creation events in sensitive system folders like the Microsoft Word global template path (`Normal.dotm` replacement) or Windows Startup folder following the decompression of an untrusted archive.
- **Detection Methods and Tools:** Monitor network traffic for connections to known C2 infrastructure associated with threat actors exploiting this vulnerability (e.g., `johnfashionaccess[.]com`). Endpoint Detection and Response (EDR) tools should monitor for attempts to write files to user startup locations or unusual process executions following archive handling.
## References
- CISA KEV Catalog Entry: (See CISA documentation for the official KEV listing)
- Vendor Advisory History: Patch released in WinRAR 7.12 (June 2025).
- Relevant Security Reporting: Reports from BI.ZONE, Foresiet, SecPod, and Synaptic Security detail active exploitation by GOFFEE, Bitter (APT-C-08), and Gamaredon.