WinRAR Vulnerability CVE-2025-6218

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has formally added a security flaw in the WinRAR file archiver and compression utility to its Known Exploited Vulnerabilities (KEV) catalog. The agency cited evidence that the vulnerability is actively being exploited in the wild, raising concerns for organizations and individual users alike.

The flaw, tracked as CVE-2025-6218 with a CVSS score of 7.8, is a path traversal vulnerability that allows an attacker to execute code in the context of the current user. Successful exploitation requires that the target either visit a malicious website or open a specially crafted file.

Details of the Flaw and Patch Status

RARLAB addressed this vulnerability in WinRAR 7.12, released in June 2025. The flaw affects Windows-based builds only; versions for Unix, Android, and other platforms remain unaffected.

The vulnerability enables attackers to place files in sensitive system locations, such as the Windows Startup folder, potentially triggering unintended code execution upon the next system login.

Threat Actor Activity

Multiple cybersecurity reports indicate that CVE-2025-6218 has been exploited by three distinct threat actors:

• GOFFEE (Paper Werewolf)
• Bitter (APT-C-08 / Manlinghua)
• Gamaredon
• GOFFEE Campaigns

In July 2025, GOFFEE allegedly combined CVE-2025-6218 with CVE-2025-8088, another high-severity WinRAR path traversal vulnerability (CVSS score 8.8), to target organizations via phishing emails. These attacks suggest a coordinated and sophisticated effort to compromise corporate environments.

Bitter APT Exploitation

Bitter, a South Asia-focused APT group, weaponized the vulnerability to maintain persistence on compromised systems and deploy a C# trojan using a lightweight downloader. The attack involves a RAR archive named Provision of Information for Sectoral for AJK.rar, containing a benign Word document and a malicious macro template.

Key mechanics of the attack include:

• Dropping Normal.dotm into Microsoft Word’s global template path, ensuring the macro executes automatically every time Word is opened.
• Bypassing standard email macro protections for documents received post-compromise.
• Enabling the trojan to contact an external C2 server at johnfashionaccess.com, facilitating keylogging, screenshot capture, RDP credential theft, and file exfiltration.

These archives are primarily distributed through spear-phishing campaigns.

Gamaredon Exploitation

The Russian-affiliated Gamaredon group has also leveraged CVE-2025-6218 in phishing campaigns targeting Ukrainian military, governmental, political, and administrative entities. The malware, dubbed Pteranodon, was first observed in November 2025.

Evidence indicates this is not an opportunistic activity. It represents structured, military-oriented espionage and sabotage, likely coordinated by Russian state intelligence. Additionally, Gamaredon has abused CVE-2025-8088 to deliver Visual Basic Script malware and deploy a destructive wiper named GamaWiper, marking the group’s first observed transition from espionage to destructive operations.

Takeaways for Security Teams

Organizations and security teams should prioritize the following actions:

• Ensure all Windows systems running WinRAR are updated to version 7.12 or later.
• Remain vigilant against phishing campaigns, particularly spear-phishing emails containing RAR archives or Word documents.
• Monitor for suspicious activity indicative of persistent backdoors, keylogging, or C2 communication attempts.
• Recognize that state-sponsored actors may combine multiple vulnerabilities for targeted attacks.

Proactive patching, email security hygiene, and endpoint monitoring are critical to mitigating these advanced threats and limiting the operational impact of exploited vulnerabilities like CVE-2025-6218.