CVE-2025-6218: WinRAR Path Traversal Used to Silently Install Malware

Aegiron 8 mins0

CVE ID: CVE-2025-6218
CVSS Score: 7.8 (High)
Status: Actively exploited by multiple threat groups
Added to CISA KEV: December 10, 2025
CISA Patch Deadline: December 30, 2025

Issue Type: Path traversal
Affected Software: WinRAR (Windows only)
Affected Versions: WinRAR 7.11 and earlier
Fixed Version: WinRAR 7.12 (released June 2025)
Impact: Code execution via Windows Startup folder
Known Threat Actors: GOFFEE, Bitter APT

What’s actually wrong with WinRAR here

This vulnerability comes down to how older versions of WinRAR handle file paths when extracting archives.

Normally, when you extract a ZIP or RAR file, everything should land inside the folder you choose. In vulnerable versions of WinRAR, that rule can be broken. A specially crafted archive can tell WinRAR to place files outside the chosen folder — and WinRAR doesn’t stop it.

Attackers use this trick to drop files directly into Windows Startup folders, which means whatever they place there will automatically run the next time the user logs in.

No exploit code, no pop-ups, no warnings — just a normal extraction that quietly sets up persistence.

Why attackers are actively abusing this

This bug is popular with attackers for a few simple reasons:

  • WinRAR is extremely common on Windows systems
  • Opening and extracting archives feels safe to users
  • The attack works without admin rights
  • Antivirus doesn’t always catch it at extraction time
  • Persistence is achieved almost instantly

Because of this, multiple groups have already built phishing campaigns around it.

How the attack usually plays out in the real world

  1. Phishing email arrives
    The victim gets an email that looks routine — invoices, documents, shared files, or project archives. Groups like GOFFEE and Bitter APT are known to use this approach.
  2. Malicious archive inside
    The attached ZIP or RAR file contains paths that look something like: ..\..\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ The user never sees this.
  3. User extracts the archive
    On WinRAR 7.11 or earlier, those paths aren’t properly checked. Files are written straight into the Startup folder instead of the extraction directory.
  4. Persistence is silently created
    A malicious executable, script, or shortcut now lives in Startup. The next time the user logs in, it runs automatically.
  5. Follow-up activity begins
    The payload may download more malware, steal credentials, or open a backdoor. At this point, the attacker has a foothold.

Why this counts as “actively exploited”

This isn’t based on theory or proof-of-concept code. It’s being used right now.

  • Multiple threat groups are confirmed exploiting it
  • Real phishing campaigns are built around it
  • Victims have already been observed
  • CISA added it to KEV quickly, which usually only happens when exploitation is confirmed

This is not something to assume attackers might use — they already are.

Who should be worried about this

Risk is higher if:

  • WinRAR is installed and hasn’t been updated
  • Users frequently open compressed attachments
  • Email filtering allows ZIP/RAR files through
  • Endpoint monitoring is limited
  • Users don’t run as admins (this actually helps the attacker stay quiet)

Because the attack works at the user level, even locked-down systems can be affected.

Things defenders can realistically detect

Suspicious file creation

file_path CONTAINS "\Startup\"
AND file_created_by IN ("winrar.exe", "rar.exe")

New Startup items appearing suddenly

startup_folder_modified = true
AND previous_user_action = "archive_extraction"

Phishing → extraction → execution chain

email_attachment_type IN ("zip", "rar")
AND process_chain CONTAINS "winrar.exe"
AND subsequent_execution = true

None of these alone prove compromise, but together they’re strong signals.

Signs an endpoint may already be compromised

  • New files in Startup folders with no clear reason
  • Malware launching immediately after login
  • Persistence without any admin-level changes
  • Infections traced back to “just opening an archive”

These attacks often don’t raise alarms right away.

Patch details

The fix

  • Upgrade to WinRAR 7.12
  • This version was released in June 2025
  • It properly validates file paths during extraction
  • Archives can no longer escape the chosen folder

What the patch actually changes

  • Path traversal sequences like ..\ are blocked
  • Files are forced to stay within the extraction directory
  • Malicious archives fail safely instead of succeeding silently

Important note after patching

  • No reboot is required
  • Existing malicious Startup files are not removed automatically
  • Systems should still be checked for compromise

If patching can’t happen immediately

These steps help reduce risk but don’t replace the fix:

  • Block ZIP/RAR attachments from unknown senders
  • Disable WinRAR where feasible
  • Monitor Startup folders closely
  • Warn users about extracting unexpected archives

Still, upgrading is the only real solution.

Why CISA set a hard deadline

CISA’s December 30, 2025 deadline reflects how dangerous this combination is:

  • Active exploitation
  • Low technical barrier
  • High success rate
  • Extremely common software

This is exactly the type of vulnerability that spreads quietly but effectively.

Bottom line

CVE-2025-6218 is simple, reliable, and already being abused. It turns a routine action — extracting an archive — into a persistence mechanism with almost no warning to the user.

If WinRAR is installed and it’s not 7.12 or newer, this should be treated as urgent.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.