CVE-2025-6218
Published: 21 June 2025
Summary
CVE-2025-6218 is a high-severity Path Traversal (CWE-22) vulnerability in Rarlab Winrar. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 9.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).
Deeper analysis
RARLAB WinRAR contains a directory traversal vulnerability that permits remote code execution. The flaw resides in the handling of file paths inside archive files, where a crafted path can cause the application to write files to unintended directories. Affected installations allow an attacker to execute arbitrary code in the context of the current user when the malicious archive is processed.
Exploitation requires user interaction, such as opening a malicious archive file or visiting a page that delivers one. An attacker can leverage the traversal to place executable content in a location that leads to code execution under the privileges of the logged-in user. The vulnerability carries a CVSS 3.0 score of 7.8 and is tracked as ZDI-CAN-27198 and CWE-22.
Vendor and third-party advisories, including the official RARLAB release and the Zero Day Initiative bulletin ZDI-25-409, direct users to apply the latest WinRAR update that corrects path handling. CISA has added the CVE to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild.
Public reporting links the issue to APT-C-08 activity, with detailed analyses describing targeted archive-based attacks. The EPSS score reached a peak of 0.0832 after starting from a lower value, indicating rising exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-28706
Vulnerability details
RARLAB WinRAR Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of RARLAB WinRAR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page…
more
or open a malicious file. The specific flaw exists within the handling of file paths within archive files. A crafted file path can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27198.
- CWE(s)
- KEV Date Added
- 09 December 2025
Related Threats
Threat-Actor AttributionAI
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The WinRAR directory traversal vulnerability (CVE-2025-6218) enables exploitation for client execution (T1203) via crafted RAR archives, allowing arbitrary file placement outside the extraction directory. Observed exploitation drops malicious Normal.dotm into Word's template path for persistence (T1137.001).
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces validation of file paths extracted from archives, directly blocking the crafted-path directory traversal that enables the RCE.
Requires malicious-code detection mechanisms that can inspect and block malicious RAR archives before extraction or execution occurs.
Monitors and verifies integrity of files written by archive tools, enabling detection of unauthorized files placed outside expected directories.