CISA warns about WinRAR vulnerability
The US Cybersecurity and Infrastructure Security Agency (CISA) has added a vulnerability affecting WinRAR compression software to its catalog of Known Exploited Vulnerabilities (KEV), citing evidence of active exploitation.
The vulnerability, tracked as CVE-2025-6218 (CVSS score: 7.8), is a path traversal flaw that could allow code execution. To be exploited, it requires a target to visit a malicious web page or open a malicious file.
Technical details of the vulnerability and patch
RARLAB, the developer of WinRAR, patched this vulnerability with the release of WinRAR 7.12 in June 2025. The bug only affects the Windows versions.
- Vulnerability: Path traversal allows an attacker to place files in sensitive locations.
- Impact: The attacker may be able to place files in the Windows home directory, which could lead to unintentional code execution at the next system logon.
- Patch: WinRAR 7.12 and later fixes the issue.
Exploitation by threat groups
Multiple threat groups have been actively exploiting this vulnerability in spear-phishing campaigns.
GOFFEE (Paper Werewolf) campaign
The GOFFEE group (also known as Paper Werewolf) has been linked to the exploitation of CVE-2025-6218 along with another path traversal vulnerability in WinRAR (CVE-2025-8088). The attacks target organizations in Russia via phishing emails.
APT Bitter Attacks (APT-C-08)
The South Asia-focused APT group Bitter has used the vulnerability to establish persistence in compromised systems.
- Attack mechanism: A malicious RAR archive (
Provision of Information for Sectoral for AJK.rar) contains a benign Word document and a malicious macro template. - Persistence: The malicious file (
Normal.dotm) is placed in the global template path of Microsoft Word. This file is automatically loaded every time Word is opened, providing a persistent backdoor that bypasses standard macro locks. - Payload): A C# Trojan communicates with a command and control (C2) server to perform keylogging, capture screenshots, harvest RDP credentials, and exfiltrate files.
Gamaredon operations against Ukraine
The Russian hacking group Gamaredon has exploited CVE-2025-6218 in phishing campaigns targeting military, government, and administrative entities in Ukraine.
- Malware deployed: Pteranodon.
- Destructive Operation: Gamaredon has also abused CVE-2025-8088 to deploy a new “wiper” (GamaWiper), marking the first time this group has been observed conducting destructive operations instead of their traditional espionage activities.
Conclusions and recommendations
Given the risk of active exploitation and observed cyberespionage campaigns, CISA requires federal civilian executive agencies (FCEB) to apply the necessary patches by December 30, 2025. For all other users, the recommendation is to update WinRAR to version 7.12 or later immediately to mitigate the risk.
References
- CVE-2025-6218: Path traversal vulnerability in WinRAR.
- CVE-2025-8088: Another actively exploited WinRAR path traversal vulnerability.
- Threat groups: GOFFEE (Paper Werewolf), Bitter (APT-C-08), Gamaredon.
- Patch: WinRAR 7.12.