A recently patched security flaw in WinRAR, the popular Windows file archiving tool, is currently being exploited by several threat groups. The vulnerability affects Windows versions of the widely used file archiving tool and involves a path traversal issue that can allow malicious files to be placed outside their intended extraction directory. When combined with phishing or other social engineering tactics, this flaw can enable unauthorized code execution and long-term persistence on a compromised system.
Because this vulnerability requires user interaction to succeed, attackers frequently combine it with phishing tactics to encourage users to open harmful archives. Updating to WinRAR 7.12 or later is the most effective way to mitigate the risk, particularly given the active exploitation by multiple groups.
According to The Hacker News, multiple threat groups are actively exploiting CVE-2025-6218 in ongoing campaigns. Several threat groups have adopted CVE-2025-6218 in their campaigns, primarily distributing malicious RAR archives through targeted phishing emails. They’ve used the vulnerability to establish persistence, deploy backdoors, and conduct espionage across different regions. Their tactics vary by mission and target, but all rely on persuading recipients to open harmful archives that take advantage of WinRAR’s former path handling flaw.
CISA (US Cybersecurity and Infrastructure Security Agency) has also added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, confirming that the issue is being leveraged in ongoing real-world attacks.
The vulnerability occurs due to improper handling of file paths within certain archive types. When a user opens a malicious RAR file, WinRAR may misinterpret specially crafted paths and extract files to unintended system locations. One potential target is the Windows Startup folder, a location that automatically runs any file inside it during user login. If an attacker can place malicious code there, it may execute without the user’s awareness the next time the system starts.
It affects Windows builds of WinRAR, RAR, UnRAR, and UnRAR.dll. It requires user interaction, opening or extracting a malicious archive, and once triggered can create opportunities for unauthorized activity. RARLAB addressed this flaw in WinRAR 7.12, released earlier this year, making software updates essential for protection.
The 7.12 update release resolves it and introduces several additional security and functional enhancements aimed at improving user safety and software reliability.
Path Traversal Fix for Remote Code Execution
The most critical update addresses the path traversal issue across WinRAR, RAR, UnRAR, and related Windows components. Older versions allowed specially crafted archives to manipulate extraction paths and place files outside their designated directories. This behavior could potentially lead to code execution during system startup or user login. The vulnerability affects only Windows builds; Unix and Android versions are not impacted.
HTML Injection Fix in Report Generation
Earlier versions of WinRAR included archived filenames directly in generated HTML reports. Without proper sanitization, filenames containing HTML tags could lead to limited HTML injection. Version 7.12 resolves this by escaping special characters before inserting them into reports.
Additional Functional Improvements
WinRAR 7.12 also includes updates that enhance reliability and consistency across various workflows, with improved recovery during volume testing and better tracks Unix nanosecond timestamps when modifying archives on Windows for more accurate synchronization for more efficient use for users, especially those that frequently work with large archives, backups, or cross-platform file structures.
Even common utilities can become attack vectors when vulnerabilities go unpatched. With multiple threat actors actively exploiting this flaw, applying the latest WinRAR update is essential for maintaining a secure environment. Staying aware of software updates and being cautious with suspicious archive files can significantly reduce the risk of compromise.
Leave a Reply