1. Home
  2. Vulnerabilities
  3. CVE-2025-6218
Known Exploited Vulnerability
7.8
HIGH CVSS 3.0
CVE-2025-6218
RARLAB WinRAR Path Traversal Vulnerability - [Actively Exploited]
Description

RARLAB WinRAR Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of RARLAB WinRAR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of file paths within archive files. A crafted file path can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27198.

INFO

Published Date :

June 21, 2025, 1:15 a.m.

Last Modified :

Dec. 9, 2025, 7:15 p.m.

Remotely Exploit :

No

Source :

[email protected]
CISA Notification
CISA KEV (Known Exploited Vulnerabilities)

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.

Description :

RARLAB WinRAR contains a path traversal vulnerability allowing an attacker to execute code in the context of the current user.

Required Action :

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Notes :

https://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=276&cHash=b5165454d983fc9717bc8748901a64f9 ; https://nvd.nist.gov/vuln/detail/CVE-2025-6218

Affected Products

The following products are affected by CVE-2025-6218 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Microsoft windows
1 Rarlab winrar
: Total Affected Vendor : 2 | Products : 2
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.0 HIGH [email protected]
Solution
Update WinRAR to patch directory traversal and RCE vulnerabilities.
  • Update RARLAB WinRAR to the latest version.
  • Ensure users do not open untrusted archives.
  • Apply vendor security patches when available.
Public PoC/Exploit Available at Github

CVE-2025-6218 has a 10 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2025-6218.

URL Resource
https://www.win-rar.com/singlenewsview.html?&tx_ttnews%5Btt_news%5D=276&cHash=388885bd3908a40726f535c026f94eb6 Release Notes
https://www.zerodayinitiative.com/advisories/ZDI-25-409/ Third Party Advisory VDB Entry
https://foresiet.com/blog/apt-c-08-winrar-directory-traversal-exploit/
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-6218
https://www.secpod.com/blog/archive-terror-dissecting-the-winrar-cve-2025-6218-exploit-apt-c-08s-stealth-move/
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2025-6218 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2025-6218 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Profile Photo
tasox/rarADSExtractor

None

Python

Updated: 3 months, 1 week ago
1 stars 0 fork 0 watcher
Born at : Sept. 2, 2025, 7:20 p.m. This repo has been linked 2 different CVEs too.
Profile Photo
carolus21rex/Carolus--CVE-Collection

This repository serves as a central index (“link tree”) to my research into known vulnerabilities (CVEs). The goal is to strengthen technical understanding of how these flaws arise, how they are safely reproduced in controlled environments, and what mitigations can be applied to defend against them.

Updated: 3 months, 3 weeks ago
0 stars 0 fork 0 watcher
Born at : Aug. 18, 2025, 3:16 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
absholi7ly/CVE-2025-6218-WinRAR-Directory-Traversal-RCE

CVE-2025-6218 is a directory traversal vulnerability in WinRAR that allows an attacker to place files outside the intended extraction directory when a user extracts a specially crafted

Updated: 4 months, 2 weeks ago
3 stars 0 fork 0 watcher
Born at : July 10, 2025, 1:37 a.m. This repo has been linked 1 different CVEs too.
Profile Photo
mulwareX/CVE-2025-6218-POC

RARLAB WinRAR Directory Traversal Remote Code Execution

Python

Updated: 4 months, 2 weeks ago
6 stars 2 fork 2 watcher
Born at : July 3, 2025, 4:52 a.m. This repo has been linked 1 different CVEs too.
Profile Photo
skimask1690/CVE-2025-6218-POC

Proof of Concept for CVE-2025-6218, demonstrating the exploitation of a vulnerability in WinRAR versions 7.11 and under, involving improper handling of archive extraction paths.

Batchfile

Updated: 4 months, 2 weeks ago
7 stars 4 fork 4 watcher
Born at : July 1, 2025, 5:34 a.m. This repo has been linked 1 different CVEs too.
Profile Photo
ignis-sec/CVE-2025-6218

A simple proof of concept for WinRAR Path Traversal | RCE | CVE-2025-6218

Python

Updated: 4 months, 3 weeks ago
9 stars 4 fork 4 watcher
Born at : June 29, 2025, 7:06 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
speinador/CVE-2025-6218_WinRAR

None

Batchfile

Updated: 5 months ago
13 stars 4 fork 4 watcher
Born at : June 27, 2025, 12:11 a.m. This repo has been linked 1 different CVEs too.
Profile Photo
plzheheplztrying/cve_monitor

None

HTML Python Shell

Updated: 5 months ago
0 stars 0 fork 0 watcher
Born at : Feb. 13, 2025, 8:50 a.m. This repo has been linked 891 different CVEs too.
Profile Photo
delivr-to/detections

A home for detection content developed by the delivr.to team

YARA

Updated: 3 months, 4 weeks ago
69 stars 6 fork 6 watcher
Born at : Feb. 8, 2023, 5:38 p.m. This repo has been linked 5 different CVEs too.
Profile Photo
nomi-sec/PoC-in-GitHub

📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.

security cve exploit poc vulnerability

Updated: 2 weeks ago
7400 stars 1218 fork 1218 watcher
Born at : Dec. 8, 2019, 1:03 p.m. This repo has been linked 825 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2025-6218 vulnerability anywhere in the article.

  • Daily CyberSecurity
CISA KEV Alert: WinRAR Zero-Day Used for Malware Injection and Windows UAF RCE Under Active Attack

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a new mandate for federal agencies to patch their systems immediately, following evidence of active exploitation in the wild. The ... Read more

Published Date: Dec 10, 2025 (5 hours, 41 minutes ago)
  • Kaspersky
Exploits and vulnerabilities in Q3 2025

In the third quarter, attackers continued to exploit security flaws in WinRAR, while the total number of registered vulnerabilities grew again. In this report, we examine statistics on published vulne ... Read more

Published Date: Dec 03, 2025 (6 days, 21 hours ago)
  • CybersecurityNews
APT-C-08 Hackers Exploiting WinRAR Vulnerability to Attack Government Organizations

The advanced persistent threat group APT-C-08, also known as Manlinghua or BITTER, has launched a sophisticated campaign targeting government organizations across South Asia by exploiting a critical d ... Read more

Published Date: Nov 12, 2025 (3 weeks, 6 days ago)
  • Help Net Security
Russia-linked hackers intensify attacks as global APT activity shifts

State-aligned hacking groups have spent the past six months ramping up espionage, sabotage, and cybercrime campaigns across multiple regions, according to ESET’s APT Activity Report covering April thr ... Read more

Published Date: Nov 06, 2025 (1 month ago)
  • CybersecurityNews
Threat Actors Leveraging Windows and Linux Vulnerabilities in Real-world Attacks to Gain System Access

Cybersecurity teams worldwide have observed a surge in sophisticated campaigns exploiting both Windows and Linux vulnerabilities in recent months to achieve unauthorized system access. These attacks o ... Read more

Published Date: Aug 29, 2025 (3 months, 1 week ago)
  • Daily CyberSecurity
Kaspersky Report: Vulnerabilities Are Exploding, and Attackers Are Adapting

Kaspersky Labs has published its Q2 2025 vulnerability analysis, revealing an alarming rise in both the number of vulnerabilities registered and their exploitation in the wild. The findings show that ... Read more

Published Date: Aug 29, 2025 (3 months, 1 week ago)
  • CybersecurityNews
New Zip Slip Vulnerability Allows Attackers to Manipulate ZIP Files During Decompression

A newly observed variant of the Zip Slip vulnerability has emerged, enabling threat actors to exploit path traversal flaws in widely used decompression utilities. Exploits leveraging this vulnerabilit ... Read more

Published Date: Aug 27, 2025 (3 months, 1 week ago)
  • Kaspersky
Exploits and vulnerabilities in Q2 2025

Vulnerability registrations in Q2 2025 proved to be quite dynamic. Vulnerabilities that were published impact the security of nearly every computer subsystem: UEFI, drivers, operating systems, browser ... Read more

Published Date: Aug 27, 2025 (3 months, 1 week ago)
  • CybersecurityNews
WinRAR 0-Day Vulnerabilities Exploited in Wild by Hackers – Detailed Case Study

The cybersecurity landscape has been significantly impacted by the discovery and active exploitation of two critical zero-day vulnerabilities in WinRAR, one of the world’s most widely used file compre ... Read more

Published Date: Aug 26, 2025 (3 months, 1 week ago)
  • Daily CyberSecurity
Beyond the Inbox: How a Cyber-Espionage Group Is Exploiting Two WinRAR Vulnerabilities

BI.ZONE Threat Intelligence uncovered a series of targeted cyber-espionage campaigns conducted by the Paper Werewolf (GOFFEE) cluster, which weaponized both a known WinRAR vulnerability (CVE-2025-6218 ... Read more

Published Date: Aug 21, 2025 (3 months, 2 weeks ago)
  • CybersecurityNews
Paper Werewolf Exploiting WinRAR Zero‑Day Vulnerability to Deliver Malware

Cybersecurity researchers have uncovered a sophisticated campaign by the Paper Werewolf threat actor group, also known as GOFFEE, targeting Russian organizations through the exploitation of critical v ... Read more

Published Date: Aug 20, 2025 (3 months, 2 weeks ago)
  • Ars Technica
High-severity WinRAR 0-day exploited for weeks by 2 groups

A high-severity zero-day in the widely used WinRAR file compressor is under active exploitation by two Russian cybercrime groups. The attacks backdoor computers that open malicious archives attached t ... Read more

Published Date: Aug 12, 2025 (3 months, 4 weeks ago)
  • The Register
Russia's RomCom among those exploiting a WinRAR 0-day in highly-targeted attacks

Russia-linked attackers found and exploited a high-severity WinRAR vulnerability before the maintainers of the Windows file archiver issued a fix. The bug, tracked as CVE-2025-8088, is a path-traversa ... Read more

Published Date: Aug 11, 2025 (3 months, 4 weeks ago)
  • BleepingComputer
Details emerge on WinRAR zero-day attacks that infected PCs with malware

Researchers have released a report detailing how a recent WinRAR path traversal vulnerability tracked as CVE-2025-8088 was exploited in zero-day attacks by the Russian 'RomCom' hacking group to drop d ... Read more

Published Date: Aug 11, 2025 (3 months, 4 weeks ago)
  • TheCyberThrone
CVE-2025-8088 WinRAR Zero-Day Vulnerability

August 11, 2025What is CVE-2025-8088?CVE-2025-8088 refers to a critical zero-day vulnerability in the Windows version of WinRAR—a widely used file archive utility.The flaw was actively exploited befor ... Read more

Published Date: Aug 11, 2025 (3 months, 4 weeks ago)
  • security.nl
'Europese bedrijven sinds 18 juli aangevallen via WinRAR-kwetsbaarheid'

Europese bedrijven, waaronder in de financiële, productie, defensie en logistieke sectoren, zijn sinds 18 juli aangevallen via een kwetsbaarheid in de populaire archiveringssoftware WinRAR. Op het mom ... Read more

Published Date: Aug 11, 2025 (3 months, 4 weeks ago)
  • The Hacker News
WinRAR Zero-Day Under Active Exploitation – Update to Latest Version Immediately

The maintainers of the WinRAR file archiving utility have released an update to address an actively exploited zero-day vulnerability. Tracked as CVE-2025-8088 (CVSS score: 8.8), the issue has been des ... Read more

Published Date: Aug 11, 2025 (3 months, 4 weeks ago)
  • Daily CyberSecurity
WinRAR Update: Zero-Day Path Traversal Flaw (CVE-2025-8088) Actively Exploited to Deliver Malware

Security researchers at ESET have uncovered a zero-day path traversal vulnerability in the Windows version of WinRAR that has been actively exploited to execute arbitrary code on victims’ systems. Tra ... Read more

Published Date: Aug 11, 2025 (3 months, 4 weeks ago)
  • TheCyberThrone
CVE-2025-6554 Actively Exploited Google Chrome Zeroday

Skip to content🧾 OverviewCVE-2025-6554 is a high-severity zero-day vulnerability discovered in Google Chrome’s V8 JavaScript engine, which is responsible for processing JavaScript in the browser. The ... Read more

Published Date: Jul 01, 2025 (5 months, 1 week ago)
  • TheCyberThrone
CISA Adds Critical Citrix NetScaler Vulnerability to KEV Catalog

Skip to contentOn June 30, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-6543, a critical buffer overflow vulnerability in Citrix NetScaler ADC and Gateway, to its K ... Read more

Published Date: Jul 01, 2025 (5 months, 1 week ago)

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2025-6218 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Dec. 09, 2025

    Action Type Old Value New Value
    Added Reference https://foresiet.com/blog/apt-c-08-winrar-directory-traversal-exploit/
    Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-6218
    Added Reference https://www.secpod.com/blog/archive-terror-dissecting-the-winrar-cve-2025-6218-exploit-apt-c-08s-stealth-move/
  • Initial Analysis by [email protected]

    Jun. 25, 2025

    Action Type Old Value New Value
    Added CPE Configuration AND OR *cpe:2.3:a:rarlab:winrar:*:*:*:*:*:*:*:* versions up to (excluding) 7.12 OR cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
    Added Reference Type Zero Day Initiative: https://www.win-rar.com/singlenewsview.html?&tx_ttnews%5Btt_news%5D=276&cHash=388885bd3908a40726f535c026f94eb6 Types: Release Notes
    Added Reference Type Zero Day Initiative: https://www.zerodayinitiative.com/advisories/ZDI-25-409/ Types: Third Party Advisory, VDB Entry
  • New CVE Received by [email protected]

    Jun. 21, 2025

    Action Type Old Value New Value
    Added Description RARLAB WinRAR Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of RARLAB WinRAR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of file paths within archive files. A crafted file path can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27198.
    Added CVSS V3 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
    Added CWE CWE-22
    Added Reference https://www.win-rar.com/singlenewsview.html?&tx_ttnews%5Btt_news%5D=276&cHash=388885bd3908a40726f535c026f94eb6
    Added Reference https://www.zerodayinitiative.com/advisories/ZDI-25-409/
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
Vulnerability Scoring Details
Base CVSS Score: 7.8
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact