Cyber Resilience

CVE-2025-6218

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 21 June 2025

Published
21 June 2025
Modified
10 December 2025
KEV Added
09 December 2025
Patch
CVSS Score v3 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0569 90.6th percentile
Risk Priority 39 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-6218 is a high-severity Path Traversal (CWE-22) vulnerability in Rarlab Winrar. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 9.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).

Deeper analysis

RARLAB WinRAR contains a directory traversal vulnerability that permits remote code execution. The flaw resides in the handling of file paths inside archive files, where a crafted path can cause the application to write files to unintended directories. Affected installations allow an attacker to execute arbitrary code in the context of the current user when the malicious archive is processed.

Exploitation requires user interaction, such as opening a malicious archive file or visiting a page that delivers one. An attacker can leverage the traversal to place executable content in a location that leads to code execution under the privileges of the logged-in user. The vulnerability carries a CVSS 3.0 score of 7.8 and is tracked as ZDI-CAN-27198 and CWE-22.

Vendor and third-party advisories, including the official RARLAB release and the Zero Day Initiative bulletin ZDI-25-409, direct users to apply the latest WinRAR update that corrects path handling. CISA has added the CVE to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild.

Public reporting links the issue to APT-C-08 activity, with detailed analyses describing targeted archive-based attacks. The EPSS score reached a peak of 0.0832 after starting from a lower value, indicating rising exploitation interest following disclosure.

EU & UK References

Vulnerability details

RARLAB WinRAR Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of RARLAB WinRAR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page…

more

or open a malicious file. The specific flaw exists within the handling of file paths within archive files. A crafted file path can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27198.

CWE(s)
KEV Date Added
09 December 2025

Related Threats

Threat-Actor AttributionAI

APT-C-08
WinRAR CVE-2025-6218 zero-day exploitation attributed to APT-C-08 in Foresiet and SecPod reporting.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1137.001 Office Template Macros Persistence
Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system.
Why these techniques?

The WinRAR directory traversal vulnerability (CVE-2025-6218) enables exploitation for client execution (T1203) via crafted RAR archives, allowing arbitrary file placement outside the extraction directory. Observed exploitation drops malicious Normal.dotm into Word's template path for persistence (T1137.001).

Affected Assets

rarlab
winrar
≤ 7.12

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces validation of file paths extracted from archives, directly blocking the crafted-path directory traversal that enables the RCE.

preventdetect

Requires malicious-code detection mechanisms that can inspect and block malicious RAR archives before extraction or execution occurs.

detect

Monitors and verifies integrity of files written by archive tools, enabling detection of unauthorized files placed outside expected directories.

References