CVE-2025-6218 – This vulnerability in WinRAR allows attackers t... (How to Fix)

Q: What is the severity of CVE-2025-6218?

CVE-2025-6218 has a CVSS score of 7.8 (HIGH). This vulnerability in WinRAR allows attackers to execute arbitrary code by tricking users into opening malicious archive files containing specially crafted file paths. The directory traversal flaw enables attackers to write files to unintended locations, potentially leading to remote code execution. All users running vulnerable versions of WinRAR are affected.

📋 TL;DR

This vulnerability in WinRAR allows attackers to execute arbitrary code by tricking users into opening malicious archive files containing specially crafted file paths. The directory traversal flaw enables attackers to write files to unintended locations, potentially leading to remote code execution. All users running vulnerable versions of WinRAR are affected.

💻 Affected Systems

Products:

RARLAB WinRAR

Versions: Versions prior to 7.00

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. User interaction required (opening malicious archive).

📦 What is this software?

Winrar by Rarlab

View all CVEs affecting Winrar →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the victim's computer, data theft, ransomware deployment, and lateral movement within networks.

🟠

Likely Case

Malware installation leading to data exfiltration, credential theft, or system disruption for individual users who open malicious archives.

🟢

If Mitigated

Limited impact with proper security controls like application whitelisting, restricted user privileges, and network segmentation preventing lateral movement.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires user to open malicious archive. APT groups have been observed exploiting this vulnerability in targeted attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: WinRAR 7.00 and later

Vendor Advisory: https://www.win-rar.com/singlenewsview.html?&tx_ttnews%5Btt_news%5D=276&cHash=388885bd3908a40726f535c026f94eb6

Restart Required: No

Instructions:

1. Download WinRAR 7.00 or later from official website. 2. Run installer. 3. Follow installation prompts. 4. Verify version in Help > About WinRAR.

🔧 Temporary Workarounds

Disable automatic archive extraction

windows

Prevent WinRAR from automatically extracting archives by changing file association settings

Use alternative archive software

windows

Temporarily use 7-Zip or other archive tools until patching is complete

🧯 If You Can't Patch

Implement application control/whitelisting to block WinRAR execution
Restrict user privileges to prevent code execution in sensitive directories

🔍 How to Verify

Check if Vulnerable:

Open WinRAR, go to Help > About WinRAR, check if version is below 7.00

Check Version:

"C:\Program Files\WinRAR\WinRAR.exe" /?

Verify Fix Applied:

Open WinRAR, go to Help > About WinRAR, confirm version is 7.00 or higher

📡 Detection & Monitoring

Log Indicators:

WinRAR process spawning unusual child processes
File writes to unexpected directories by WinRAR process
Archive files with suspicious path patterns in file names

Network Indicators:

WinRAR process making unexpected network connections after archive extraction
Downloads of archive files from suspicious sources

SIEM Query:

Process Creation where ParentImage contains 'winrar.exe' and (CommandLine contains 'powershell' or CommandLine contains 'cmd' or CommandLine contains 'wscript')

📊 Metadata

CVE ID: CVE-2025-6218

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-22

EPSS Score: 5.81% exploit probability (90.3th percentile)

CISA KEV: Actively Exploited added Dec 9, 2025

Published: June 21, 2025

Last Updated: December 10, 2025

🔗 References

https://www.win-rar.com/singlenewsview.html?&tx_ttnews%5Btt_news%5D=276&cHash=388885bd3908a40726f535c026f94eb6 Release Notes
https://www.zerodayinitiative.com/advisories/ZDI-25-409/ Third Party Advisory,VDB Entry
https://foresiet.com/blog/apt-c-08-winrar-directory-traversal-exploit/ Exploit,Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-6218 US Government Resource
https://www.secpod.com/blog/archive-terror-dissecting-the-winrar-cve-2025-6218-exploit-apt-c-08s-stealth-move/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-6218, you might also want to check these: