🟢 CVE-2025-6218

CVE-2025-6218 is a directory traversal vulnerability in RARLAB WinRAR that allows remote code execution when a user opens a malicious archive file. Despite being on CISA KEV, this is a client-side vulnerability requiring user interaction and does not affect internet-facing services.

← Back to Overview
LOW_RISK
Risk Level
7.8
CVSS Score
LOCAL
Attack Vector
Execution
ATT&CK Tactic
T1203 — Exploitation for Client Execution
ATT&CK Technique
VERY_LOW
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: USER_INTERACTION

CVE Published: 2025-06-21

Added to CISA KEV: 2025-12-09 171 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-6218 is a critical directory traversal vulnerability in RARLAB WinRAR that enables remote code execution (RCE) [1] [9].

Active Exploitation and Threat Actor Usage
  • Active Exploitation: The vulnerability is confirmed to be under active exploitation in the wild [3] [8].
  • CISA KEV: Due to evidence of active exploitation, CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog on December 9, 2025 [7].
  • Threat Actors: It has been reported that multiple threat groups are actively leveraging this flaw in attacks [3].
Attack Method and Requirements
  • Method: The flaw exists in how WinRAR handles file paths within archive files, allowing an attacker to place files outside of the intended extraction directory (directory traversal) [1] [6].
  • User Interaction: Exploitation requires user interaction; the target must open a malicious archive file or visit a malicious page that triggers the extraction process [5].
  • Access: It is a remote attack vector, typically delivered via malicious files [1].
Impact and Usage
  • Impact: Successful exploitation allows remote attackers to execute arbitrary code on the victim's system [1]. While the primary flaw is directory traversal, this is frequently chained to achieve full RCE, often by writing malicious files (such as executables) to startup folders or other sensitive locations [4] [2].
  • Campaigns: The vulnerability has been used to facilitate malware deployment, allowing malicious payloads to launch automatically upon extraction or system reboot [2].
Proof-of-Concept (PoC) Availability
  • Publicly available proof-of-concept code and research exist on platforms like GitHub, demonstrating the directory traversal mechanism and the feasibility of achieving RCE [6] [4].
Patch and Mitigation Status
  • Status: RARLAB has released patches to address this vulnerability. Users are strongly advised to update their WinRAR installations to the latest version to mitigate the risk [2] [8].

Sources

  1. CVE-2025-6218 Detail - NVD

    Description. RARLAB WinRAR Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on ... Information Technology Laboratory National Vulnerability Database Vulnerabilities…

  2. WinRAR patches bug letting malware launch from extracted archives

    WinRAR has addressed a directory traversal vulnerability tracked as CVE-2025-6218 that, under certain circumstances, allows malware to be executed after extracting a malicious archive.

  3. Warning: WinRAR Vulnerability CVE-2025-6218 Under Active Attack by ...

    CISA warns WinRAR CVE-2025-6218 is under active attack by multiple threat groups, requiring federal fixes by Dec. 30, 2025.

  4. ignis-sec/CVE-2025-6218 - GitHub

    A very minimal and simple proof of concept for CVE-2025-6218 WinRAR path traversal vulnerability. (Also included: my toolset for playing around with the RAR format for vulnerability testing) Path traversal to RCE chain not included in the POC, but arbitrary file write to RCE on windows is trivial. C…

  5. CVE-2025-6218 | Tenable®

    RARLAB WinRAR Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code ... RARLAB WinRAR Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected inst…

  6. CVE-2025-6218-WinRAR-Directory-Traversal-RCE - GitHub

    CVE-2025-6218 is a directory traversal vulnerability in WinRAR that allows an attacker to place files outside the intended extraction directory when a user ...

  7. CISA Adds Two Known Exploited Vulnerabilities to Catalog

    CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2025-6218…

  8. WinRAR CVE-2025-6218 Vulnerability Under Active Attack by ...

    CISA flags WinRAR CVE-2025-6218 as actively exploited. Learn about this path traversal flaw and how to protect your systems. Update now!…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed