7.8
HIGH CVSS 3.0
CVE-2025-6218
WinRAR Directory Traversal Remote Code Execution Vulnerability
Description

RARLAB WinRAR Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of RARLAB WinRAR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of file paths within archive files. A crafted file path can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27198.

INFO

Published Date :

June 21, 2025, 1:15 a.m.

Last Modified :

June 25, 2025, 7:03 p.m.

Remotely Exploit :

No
Affected Products

The following products are affected by CVE-2025-6218 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Microsoft windows
1 Rarlab winrar
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.0 HIGH [email protected]
Solution
This information is provided by the 3rd party feeds.
  • Upgrade to RARLAB WinRAR version 7.12 Beta 1 or later.
Public PoC/Exploit Available at Github

CVE-2025-6218 has a 9 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2025-6218.

URL Resource
https://www.win-rar.com/singlenewsview.html?&tx_ttnews%5Btt_news%5D=276&cHash=388885bd3908a40726f535c026f94eb6 Release Notes
https://www.zerodayinitiative.com/advisories/ZDI-25-409/ Third Party Advisory VDB Entry
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2025-6218 is associated with the following CWEs:

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

This repository serves as a central index (“link tree”) to my research into known vulnerabilities (CVEs). The goal is to strengthen technical understanding of how these flaws arise, how they are safely reproduced in controlled environments, and what mitigations can be applied to defend against them.

Updated: 5 days, 12 hours ago
0 stars 0 fork 0 watcher
Born at : Aug. 18, 2025, 3:16 p.m. This repo has been linked 1 different CVEs too.

CVE-2025-6218 is a directory traversal vulnerability in WinRAR that allows an attacker to place files outside the intended extraction directory when a user extracts a specially crafted

Updated: 1 month ago
3 stars 0 fork 0 watcher
Born at : July 10, 2025, 1:37 a.m. This repo has been linked 1 different CVEs too.

RARLAB WinRAR Directory Traversal Remote Code Execution

Python

Updated: 1 month ago
6 stars 2 fork 2 watcher
Born at : July 3, 2025, 4:52 a.m. This repo has been linked 1 different CVEs too.

Proof of Concept for CVE-2025-6218, demonstrating the exploitation of a vulnerability in WinRAR versions 7.11 and under, involving improper handling of archive extraction paths.

Batchfile

Updated: 1 month ago
7 stars 4 fork 4 watcher
Born at : July 1, 2025, 5:34 a.m. This repo has been linked 1 different CVEs too.

A simple proof of concept for WinRAR Path Traversal | RCE | CVE-2025-6218

Python

Updated: 1 month ago
9 stars 4 fork 4 watcher
Born at : June 29, 2025, 7:06 p.m. This repo has been linked 1 different CVEs too.

None

Batchfile

Updated: 1 month, 2 weeks ago
13 stars 4 fork 4 watcher
Born at : June 27, 2025, 12:11 a.m. This repo has been linked 1 different CVEs too.

None

HTML Python Shell

Updated: 1 month, 2 weeks ago
0 stars 0 fork 0 watcher
Born at : Feb. 13, 2025, 8:50 a.m. This repo has been linked 891 different CVEs too.

A home for detection content developed by the delivr.to team

YARA

Updated: 1 week, 6 days ago
69 stars 6 fork 6 watcher
Born at : Feb. 8, 2023, 5:38 p.m. This repo has been linked 5 different CVEs too.

📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.

security cve exploit poc vulnerability

Updated: 5 hours, 54 minutes ago
7209 stars 1199 fork 1199 watcher
Born at : Dec. 8, 2019, 1:03 p.m. This repo has been linked 806 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2025-6218 vulnerability anywhere in the article.

  • Daily CyberSecurity
Beyond the Inbox: How a Cyber-Espionage Group Is Exploiting Two WinRAR Vulnerabilities

BI.ZONE Threat Intelligence uncovered a series of targeted cyber-espionage campaigns conducted by the Paper Werewolf (GOFFEE) cluster, which weaponized both a known WinRAR vulnerability (CVE-2025-6218 ... Read more

Published Date: Aug 21, 2025 (3 days, 3 hours ago)
  • CybersecurityNews
Paper Werewolf Exploiting WinRAR Zero‑Day Vulnerability to Deliver Malware

Cybersecurity researchers have uncovered a sophisticated campaign by the Paper Werewolf threat actor group, also known as GOFFEE, targeting Russian organizations through the exploitation of critical v ... Read more

Published Date: Aug 20, 2025 (3 days, 19 hours ago)
  • Ars Technica
High-severity WinRAR 0-day exploited for weeks by 2 groups

A high-severity zero-day in the widely used WinRAR file compressor is under active exploitation by two Russian cybercrime groups. The attacks backdoor computers that open malicious archives attached t ... Read more

Published Date: Aug 12, 2025 (1 week, 5 days ago)
  • The Register
Russia's RomCom among those exploiting a WinRAR 0-day in highly-targeted attacks

Russia-linked attackers found and exploited a high-severity WinRAR vulnerability before the maintainers of the Windows file archiver issued a fix. The bug, tracked as CVE-2025-8088, is a path-traversa ... Read more

Published Date: Aug 11, 2025 (1 week, 5 days ago)
  • BleepingComputer
Details emerge on WinRAR zero-day attacks that infected PCs with malware

Researchers have released a report detailing how a recent WinRAR path traversal vulnerability tracked as CVE-2025-8088 was exploited in zero-day attacks by the Russian 'RomCom' hacking group to drop d ... Read more

Published Date: Aug 11, 2025 (1 week, 5 days ago)
  • TheCyberThrone
CVE-2025-8088 WinRAR Zero-Day Vulnerability

August 11, 2025What is CVE-2025-8088?CVE-2025-8088 refers to a critical zero-day vulnerability in the Windows version of WinRAR—a widely used file archive utility.The flaw was actively exploited befor ... Read more

Published Date: Aug 11, 2025 (1 week, 5 days ago)
  • security.nl
'Europese bedrijven sinds 18 juli aangevallen via WinRAR-kwetsbaarheid'

Europese bedrijven, waaronder in de financiële, productie, defensie en logistieke sectoren, zijn sinds 18 juli aangevallen via een kwetsbaarheid in de populaire archiveringssoftware WinRAR. Op het mom ... Read more

Published Date: Aug 11, 2025 (1 week, 5 days ago)
  • The Hacker News
WinRAR Zero-Day Under Active Exploitation – Update to Latest Version Immediately

The maintainers of the WinRAR file archiving utility have released an update to address an actively exploited zero-day vulnerability. Tracked as CVE-2025-8088 (CVSS score: 8.8), the issue has been des ... Read more

Published Date: Aug 11, 2025 (1 week, 5 days ago)
  • Daily CyberSecurity
WinRAR Update: Zero-Day Path Traversal Flaw (CVE-2025-8088) Actively Exploited to Deliver Malware

Security researchers at ESET have uncovered a zero-day path traversal vulnerability in the Windows version of WinRAR that has been actively exploited to execute arbitrary code on victims’ systems. Tra ... Read more

Published Date: Aug 11, 2025 (1 week, 6 days ago)
  • TheCyberThrone
CVE-2025-6554 Actively Exploited Google Chrome Zeroday

Skip to content🧾 OverviewCVE-2025-6554 is a high-severity zero-day vulnerability discovered in Google Chrome’s V8 JavaScript engine, which is responsible for processing JavaScript in the browser. The ... Read more

Published Date: Jul 01, 2025 (1 month, 3 weeks ago)
  • TheCyberThrone
CISA Adds Critical Citrix NetScaler Vulnerability to KEV Catalog

Skip to contentOn June 30, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-6543, a critical buffer overflow vulnerability in Citrix NetScaler ADC and Gateway, to its K ... Read more

Published Date: Jul 01, 2025 (1 month, 3 weeks ago)
  • TheCyberThrone
CVE-2025-36038 RCE in IBM WebSphere

Skip to content📌 ObjectiveCVE-2025-36038 is a critical vulnerability in IBM WebSphere Application Server versions 8.5 and 9.0, allowing unauthenticated remote code execution (RCE) through the deserial ... Read more

Published Date: Jun 30, 2025 (1 month, 3 weeks ago)
  • TheCyberThrone
CVE-2025-6218 WinRAR Directory Traversal Vulnerability

Skip to content🔍 OverviewCVE-2025-6218 is a directory traversal vulnerability discovered in WinRAR, the widely used file archiving tool for Windows. The flaw allows attackers to craft malicious archiv ... Read more

Published Date: Jun 30, 2025 (1 month, 3 weeks ago)
  • Help Net Security
Week in review: Backdoor found in SOHO devices running Linux, high-risk WinRAR RCE flaw patched

Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Stealthy backdoor found hiding in SOHO devices running Linux SecurityScorecard’s STRIKE team has uncov ... Read more

Published Date: Jun 29, 2025 (1 month, 3 weeks ago)
  • BleepingComputer
WinRAR patches bug letting malware launch from extracted archives

WinRAR has addressed a directory traversal vulnerability tracked as CVE-2025-6218 that, under certain circumstances, allows malware to be executed after extracting a malicious archive. The flaw tracke ... Read more

Published Date: Jun 25, 2025 (1 month, 4 weeks ago)
  • Cyber Security News
Aviatrix Cloud Controller Authentication Vulnerability Let Attackers Execute Remote Code

Two critical vulnerabilities in Aviatrix Controller, a Software-Defined Networking (SDN) utility that enables cloud connectivity across different vendors and regions. The vulnerabilities allowed attac ... Read more

Published Date: Jun 24, 2025 (1 month, 4 weeks ago)
  • Cyber Security News
WinRAR Vulnerability Let Execute Arbitrary Code Using a Malicious File

Summary 1. A high-severity flaw (CVE-2025-6218) in WinRAR allows attackers to execute arbitrary code by exploiting how the software handles file paths within archives. 2. The vulnerability enables att ... Read more

Published Date: Jun 24, 2025 (1 month, 4 weeks ago)
  • Daily CyberSecurity
CVE-2025-6218: WinRAR Directory Traversal Bug Opens the Door to Remote Code Execution

A newly disclosed vulnerability in RARLAB’s WinRAR, the long-standing compression utility for Windows, has exposed millions of users to a severe directory traversal flaw that could lead to remote code ... Read more

Published Date: Jun 24, 2025 (2 months ago)

The following table lists the changes that have been made to the CVE-2025-6218 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Initial Analysis by [email protected]

    Jun. 25, 2025

    Action Type Old Value New Value
    Added CPE Configuration AND OR *cpe:2.3:a:rarlab:winrar:*:*:*:*:*:*:*:* versions up to (excluding) 7.12 OR cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
    Added Reference Type Zero Day Initiative: https://www.win-rar.com/singlenewsview.html?&tx_ttnews%5Btt_news%5D=276&cHash=388885bd3908a40726f535c026f94eb6 Types: Release Notes
    Added Reference Type Zero Day Initiative: https://www.zerodayinitiative.com/advisories/ZDI-25-409/ Types: Third Party Advisory, VDB Entry
  • New CVE Received by [email protected]

    Jun. 21, 2025

    Action Type Old Value New Value
    Added Description RARLAB WinRAR Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of RARLAB WinRAR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of file paths within archive files. A crafted file path can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27198.
    Added CVSS V3 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
    Added CWE CWE-22
    Added Reference https://www.win-rar.com/singlenewsview.html?&tx_ttnews%5Btt_news%5D=276&cHash=388885bd3908a40726f535c026f94eb6
    Added Reference https://www.zerodayinitiative.com/advisories/ZDI-25-409/
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
Vulnerability Scoring Details
Base CVSS Score: 7.8
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact