Active Exploitation of WinRAR Path Traversal Vulnerability CVE-2025-6218
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the WinRAR path traversal vulnerability, CVE-2025-6218, to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. This flaw, which affects Windows-based versions of WinRAR prior to version 7.12, allows attackers to execute arbitrary code by tricking users into opening malicious archives or visiting compromised web pages. The vulnerability enables attackers to write files outside intended directories, potentially leading to code execution with the privileges of the current user, and can be exploited to place files in sensitive locations such as the Windows Startup folder.
Multiple threat groups, including GOFFEE (aka Paper Werewolf), Bitter (aka APT-C-08 or Manlinghua), and Gamaredon, have been observed exploiting CVE-2025-6218 in the wild. Attacks have involved phishing emails containing malicious RAR archives, with some campaigns using the vulnerability to establish persistence and deploy trojans on targeted systems. RARLAB addressed the issue in June 2025 with the release of WinRAR 7.12, and users are urged to update to the latest version to mitigate the risk of exploitation. The vulnerability does not affect WinRAR versions for Unix or Android platforms.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CISA orders federal agencies to remediate by December 30
Following the KEV additions, CISA directed Federal Civilian Executive Branch agencies to address both vulnerabilities by December 30, 2025. The agency also urged private-sector organizations to review and remediate the issues.
CISA adds WinRAR and Windows flaws to KEV catalog
CISA added CVE-2025-6218 in WinRAR and CVE-2025-62221 in the Microsoft Windows Cloud Files Mini Filter Driver to its Known Exploited Vulnerabilities catalog, citing active exploitation. The Windows flaw is a use-after-free issue that can allow local privilege escalation to SYSTEM.
Multiple threat groups exploit CVE-2025-6218 in phishing campaigns
After the flaw became available for abuse, multiple threat actors including GOFFEE, Bitter, and Gamaredon used CVE-2025-6218 in targeted spear-phishing campaigns. The activity enabled code execution, persistence, and deployment of malware including trojans and wipers, with Gamaredon targeting Ukrainian entities.
WinRAR 7.12 patches CVE-2025-6218
In June 2025, RARLAB released WinRAR version 7.12 to fix CVE-2025-6218, a directory traversal/path traversal flaw affecting Windows versions of the software. The bug could allow code execution when a user opens a malicious archive or visits a malicious webpage.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
U.S. CISA adds Microsoft Windows and WinRAR flaws to its Known Exploited Vulnerabilities catalog
securityaffairs.com
Open sourceWarning: WinRAR Vulnerability CVE-2025-6218 Under Active Attack by Multiple Threat Groups
thehackernews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Threat Actors Exploit WinRAR Path Traversal Flaw to Gain Persistence
Google Threat Intelligence Group reported broad exploitation of **CVE-2025-8088**, a critical WinRAR path traversal vulnerability that lets attackers use malicious RAR archives with Windows Alternate Data Streams to write files to arbitrary locations. In observed attacks, the flaw was commonly used to drop payloads into the Windows Startup folder so malware would execute at the next user logon, giving intruders persistence after a victim opened a crafted archive. The activity has been linked to both state-backed and financially motivated actors, including clusters associated with Russia and China, with targeting focused on military, government, and technology organizations. Exploitation began as early as July 18, 2025, and continued after RARLAB released a fix in **WinRAR 7.13** on July 30, 2025, turning the issue into an actively abused n-day vulnerability; defenders were urged to patch quickly, keep archive software updated, and rely on protections such as Safe Browsing and Gmail filtering to block weaponized files.
Jun 29, 2026
Ongoing Exploitation of WinRAR Path Traversal Vulnerability CVE-2025-8088
**Google Threat Intelligence Group (GTIG)** reported ongoing, widening exploitation of a high-severity WinRAR path traversal flaw, **CVE-2025-8088**, roughly six months after it was disclosed and patched by RARLAB. GTIG assessed exploitation began as early as **July 18, 2025** (including activity nearly two weeks before the vendor fix) and has expanded across a diverse set of adversaries, spanning **Russia- and China-linked espionage actors** as well as **financially motivated cybercriminals**. Reported targeting includes military, government, and technology organizations, with multiple Russia-aligned operations focusing on **Ukrainian** entities. Technical reporting indicates the vulnerability abuses **Windows Alternate Data Streams (ADS)** within crafted archives to perform directory traversal and write files to arbitrary locations, including the Windows **Startup** folder for persistence. GTIG and other researchers describe exploit chains where a user opens a benign decoy (e.g., a PDF) while hidden ADS entries extract and drop executable content such as `LNK`, `HTA`, `BAT`, `CMD`, or script files that run at login; observed payloads include **remote access trojans, infostealers**, and malware frameworks used by named state actors (e.g., **RomCom/UNC4895**, **APT44**, **TEMP.Armageddon**, **Turla**) in addition to broader criminal activity across multiple regions.
Jun 29, 2026
WinRAR Flaw Let Attackers Achieve Code Execution via Malicious Archives
Check Point Research disclosed a **19-year-old vulnerability** in WinRAR that could be exploited to achieve **arbitrary code execution** when a user opened a specially crafted archive. The issue affected WinRAR's handling of the legacy `ACE` archive format through the bundled `UNACEV2.DLL` library, allowing attackers to manipulate file extraction paths and place malicious executables into startup folders or other sensitive locations. The flaw meant a booby-trapped archive could trigger malware execution on the next system reboot or user logon, turning a common archive-opening action into an infection vector. Because WinRAR had an estimated **hundreds of millions of users**, the disclosure highlighted broad exposure and the risk of weaponized archive files in phishing and malware campaigns until users upgraded to a patched version that removed support for the vulnerable `UNACEV2.DLL` component.
Jun 29, 2026