CVE-2025-6218
RARLAB WinRAR Path Traversal Vulnerability - [Actively Exploited]
Description
RARLAB WinRAR Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of RARLAB WinRAR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of file paths within archive files. A crafted file path can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27198.
INFO
Published Date :
June 21, 2025, 1:15 a.m.
Last Modified :
Dec. 10, 2025, 1:48 p.m.
Remotely Exploit :
No
Source :
[email protected]
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
RARLAB WinRAR contains a path traversal vulnerability allowing an attacker to execute code in the context of the current user.
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
https://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=276&cHash=b5165454d983fc9717bc8748901a64f9 ; https://nvd.nist.gov/vuln/detail/CVE-2025-6218
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.0 | HIGH | [email protected] |
Solution
- Update RARLAB WinRAR to the latest version.
- Ensure users do not open untrusted archives.
- Apply vendor security patches when available.
Public PoC/Exploit Available at Github
CVE-2025-6218 has a 14 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-6218.
| URL | Resource |
|---|---|
| https://www.win-rar.com/singlenewsview.html?&tx_ttnews%5Btt_news%5D=276&cHash=388885bd3908a40726f535c026f94eb6 | Release Notes |
| https://www.zerodayinitiative.com/advisories/ZDI-25-409/ | Third Party Advisory VDB Entry |
| https://foresiet.com/blog/apt-c-08-winrar-directory-traversal-exploit/ | Exploit Third Party Advisory |
| https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-6218 | US Government Resource |
| https://www.secpod.com/blog/archive-terror-dissecting-the-winrar-cve-2025-6218-exploit-apt-c-08s-stealth-move/ | Exploit Third Party Advisory |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-6218 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-6218
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Ce dépôt fournit des règles Sigma prêtes pour la production afin de détecter l’exploitation de la vulnérabilité CVE-2025-6218 affectant WinRAR sous Windows.
Comprehensive analysis and proof-of-concept for CVE-2025-6218 - WinRAR path traversal RCE vulnerability affecting versions 7.11 and earlier
Python PowerShell
Sigma detection rules for Windows threats, including WinRAR CVE-2025-6218 exploitation techniques, designed for SOC and CTI use.
Repositório contendo scripts de remediação e governança para Microsoft Defender e Intune, incluindo correções de CVEs, automações e auditorias de endpoint.
None
Python
This repository serves as a central index (“link tree”) to my research into known vulnerabilities (CVEs). The goal is to strengthen technical understanding of how these flaws arise, how they are safely reproduced in controlled environments, and what mitigations can be applied to defend against them.
CVE-2025-6218 is a directory traversal vulnerability in WinRAR that allows an attacker to place files outside the intended extraction directory when a user extracts a specially crafted
RARLAB WinRAR Directory Traversal Remote Code Execution
Python
Proof of Concept for CVE-2025-6218, demonstrating the exploitation of a vulnerability in WinRAR versions 7.11 and under, involving improper handling of archive extraction paths.
Batchfile
A simple proof of concept for WinRAR Path Traversal | RCE | CVE-2025-6218
Python
None
Batchfile
None
HTML Python Shell
A home for detection content developed by the delivr.to team
YARA
📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.
security cve exploit poc vulnerability
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-6218 vulnerability anywhere in the article.
-
The Hacker News
WatchGuard Warns of Active Exploitation of Critical Fireware OS VPN Vulnerability
Dec 19, 2025Ravie LakshmananVulnerability / Network Security WatchGuard has released fixes to address a critical security flaw in Fireware OS that it said has been exploited in real-world attacks. T ... Read more
-
The Hacker News
New UEFI Flaw Enables Early-Boot DMA Attacks on ASRock, ASUS, GIGABYTE, MSI Motherboards
Dec 19, 2025Ravie LakshmananFirmware Security / Vulnerability Certain motherboard models from vendors like ASRock, ASUSTeK Computer, GIGABYTE, and MSI are affected by a security vulnerability that l ... Read more
-
The Hacker News
HPE OneView Flaw Rated CVSS 10.0 Allows Unauthenticated Remote Code Execution
Dec 18, 2025Ravie LakshmananVulnerability / Enterprise Security Hewlett Packard Enterprise (HPE) has resolved a maximum-severity security flaw in OneView Software that, if successfully exploited, co ... Read more
-
The Hacker News
ThreatsDay Bulletin: WhatsApp Hijacks, MCP Leaks, AI Recon, React2Shell Exploit and 15 More Stories
This week's ThreatsDay Bulletin tracks how attackers keep reshaping old tools and finding new angles in familiar systems. Small changes in tactics are stacking up fast, and each one hints at where the ... Read more
-
The Hacker News
CISA Flags Critical ASUS Live Update Flaw After Evidence of Active Exploitation
Dec 18, 2025Ravie LakshmananVulnerability / Software Security The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical flaw impacting ASUS Live Update to its Kn ... Read more
-
The Hacker News
Cisco Warns of Active Attacks Exploiting Unpatched 0-Day in AsyncOS Email Security Appliances
Dec 18, 2025Ravie LakshmananVulnerability / Network Security Cisco has alerted users of a maximum-severity zero-day flaw in Cisco AsyncOS software that has been actively exploited by a China-nexus a ... Read more
-
The Hacker News
New ForumTroll Phishing Attacks Target Russian Scholars Using Fake eLibrary Emails
Dec 17, 2025Ravie LakshmananVulnerability / Malware The threat actor linked to Operation ForumTroll has been attributed to a fresh set of phishing attacks targeting individuals within Russia, accord ... Read more
-
The Hacker News
Amazon Exposes Years-Long GRU Cyber Campaign Targeting Energy and Cloud Infrastructure
Dec 16, 2025Ravie LakshmananCloud Security / Vulnerability Amazon's threat intelligence team has disclosed details of a "years-long" Russian state-sponsored campaign that targeted Western critical i ... Read more
-
The Hacker News
Fortinet FortiGate Under Active Attack Through SAML SSO Authentication Bypass
Dec 16, 2025Ravie LakshmananNetwork Security / Vulnerability Threat actors have begun to exploit two newly disclosed security flaws in Fortinet FortiGate devices, less than a week after public discl ... Read more
-
The Hacker News
React2Shell Vulnerability Actively Exploited to Deploy Linux Backdoors
The security vulnerability known as React2Shell is being exploited by threat actors to deliver malware families like KSwapDoor and ZnDoor, according to findings from Palo Alto Networks Unit 42 and NTT ... Read more
-
The Hacker News
FreePBX Patches Critical SQLi, File-Upload, and AUTHTYPE Bypass Flaws Enabling RCE
Dec 15, 2025Ravie LakshmananVulnerability / Software Security Multiple security vulnerabilities have been disclosed in the open-source private branch exchange (PBX) platform FreePBX, including a cri ... Read more
-
CybersecurityNews
Top 20 Most Exploited Vulnerabilities of 2025: A Comprehensive Analysis
The cybersecurity landscape of 2025 has been marked by an unprecedented surge in vulnerability exploitation, with threat actors leveraging critical flaws across enterprise software, cloud infrastructu ... Read more
-
TheCyberThrone
Fortinet Critical Bugs CVE-2025-59718 and CVE-2025-59719
December 11, 2025Fortinet recently disclosed two critical authentication bypass vulnerabilities in its FortiCloud SSO login feature, tracked as CVE-2025-59718 and CVE-2025-59719. These flaws allow una ... Read more
-
TheCyberThrone
CVE-2025-6218 and CVE-2025-62221 Hit CISA KEV
December 10, 2025CISA has added CVE-2025-6218 and CVE-2025-62221 to its Known Exploited Vulnerabilities (KEV) catalog, signaling active real-world exploitation and immediate remediation requirements f ... Read more
-
The Hacker News
Warning: WinRAR Vulnerability CVE-2025-6218 Under Active Attack by Multiple Threat Groups
Dec 10, 2025Ravie LakshmananVulnerability / Malware The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a security flaw impacting the WinRAR file archiver and compressi ... Read more
-
CybersecurityNews
CISA Warns of WinRAR 0-Day RCE Vulnerability Exploited in Attacks
A high-priority warning regarding a critical security flaw in WinRAR, the popular file compression tool used by millions of Windows users. The vulnerability, tracked as CVE-2025-6218, is currently bei ... Read more
-
Daily CyberSecurity
CISA KEV Alert: WinRAR Zero-Day Used for Malware Injection and Windows UAF RCE Under Active Attack
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a new mandate for federal agencies to patch their systems immediately, following evidence of active exploitation in the wild. The ... Read more
-
Kaspersky
Exploits and vulnerabilities in Q3 2025
In the third quarter, attackers continued to exploit security flaws in WinRAR, while the total number of registered vulnerabilities grew again. In this report, we examine statistics on published vulne ... Read more
-
CybersecurityNews
APT-C-08 Hackers Exploiting WinRAR Vulnerability to Attack Government Organizations
The advanced persistent threat group APT-C-08, also known as Manlinghua or BITTER, has launched a sophisticated campaign targeting government organizations across South Asia by exploiting a critical d ... Read more
-
Help Net Security
Russia-linked hackers intensify attacks as global APT activity shifts
State-aligned hacking groups have spent the past six months ramping up espionage, sabotage, and cybercrime campaigns across multiple regions, according to ESET’s APT Activity Report covering April thr ... Read more
The following table lists the changes that have been made to the
CVE-2025-6218 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Modified Analysis by [email protected]
Dec. 10, 2025
Action Type Old Value New Value Added Reference Type CISA-ADP: https://foresiet.com/blog/apt-c-08-winrar-directory-traversal-exploit/ Types: Exploit, Third Party Advisory Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-6218 Types: US Government Resource Added Reference Type CISA-ADP: https://www.secpod.com/blog/archive-terror-dissecting-the-winrar-cve-2025-6218-exploit-apt-c-08s-stealth-move/ Types: Exploit, Third Party Advisory -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Dec. 09, 2025
Action Type Old Value New Value Added Reference https://foresiet.com/blog/apt-c-08-winrar-directory-traversal-exploit/ Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-6218 Added Reference https://www.secpod.com/blog/archive-terror-dissecting-the-winrar-cve-2025-6218-exploit-apt-c-08s-stealth-move/ -
Initial Analysis by [email protected]
Jun. 25, 2025
Action Type Old Value New Value Added CPE Configuration AND OR *cpe:2.3:a:rarlab:winrar:*:*:*:*:*:*:*:* versions up to (excluding) 7.12 OR cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* Added Reference Type Zero Day Initiative: https://www.win-rar.com/singlenewsview.html?&tx_ttnews%5Btt_news%5D=276&cHash=388885bd3908a40726f535c026f94eb6 Types: Release Notes Added Reference Type Zero Day Initiative: https://www.zerodayinitiative.com/advisories/ZDI-25-409/ Types: Third Party Advisory, VDB Entry -
New CVE Received by [email protected]
Jun. 21, 2025
Action Type Old Value New Value Added Description RARLAB WinRAR Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of RARLAB WinRAR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of file paths within archive files. A crafted file path can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27198. Added CVSS V3 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Added CWE CWE-22 Added Reference https://www.win-rar.com/singlenewsview.html?&tx_ttnews%5Btt_news%5D=276&cHash=388885bd3908a40726f535c026f94eb6 Added Reference https://www.zerodayinitiative.com/advisories/ZDI-25-409/