CISA KEV Adds WinRAR Path Traversal and Windows Cloud Files UAF — Remediation Guide

CISA’s decision to add two recently disclosed flaws — a WinRAR path‑traversal bug (CVE-2025-6218) and a Windows Cloud Files mini‑filter use‑after‑free (CVE-2025-62221) — to the Known Exploited Vulnerabilities (KEV) Catalog crystallizes a simple reality for defenders: time-to-fix is shrinking and the federal remediation clock is unforgiving. The technical facts are straightforward and concerning: CVE-2025-6218 is a directory‑traversal that can lead to arbitrary code execution when a user extracts a crafted archive with vulnerable WinRAR builds, while CVE-2025-62221 is a kernel‑mode memory corruption (use‑after‑free) in the Windows Cloud Files mini‑filter that allows a local, authenticated user to escalate privileges. Both vulnerabilities have public vendor and vulnerability‑tracker records and are associated with in‑the‑wild activity or vendor statements about exploitation.

---

Background / Overview​

CISA’s Known Exploited Vulnerabilities (KEV) Catalog is the operational instrument that turns evidence of active exploitation into prioritized action under Binding Operational Directive (BOD) 22‑01. When CISA places a CVE on the KEV catalog the expectation — and for Federal Civilian Executive Branch (FCEB) agencies the legal requirement — is rapid remediation, usually within a compressed window unless otherwise specified. That policy mechanism exists to reduce operational exposure to vulnerabilities that are demonstrably being used in active campaigns.
This latest KEV movement follows a busy year in which both endpoint utilities and kernel drivers have been recurring targets for attackers. File‑archiving tools remain attractive because they are ubiquitous and commonly used to transfer content delivered via email or downloads; kernel drivers are attractive because a single reliable escalation in kernel mode yields full system compromise. The two newest entries highlight both vectors.

---

What we know: CVE-2025-6218 (RARLAB WinRAR — Path Traversal → Code Execution)​

The technical summary​

• Vulnerability: Directory traversal in WinRAR’s archive path handling. A crafted path inside an archive can cause extraction to write files outside the expected extraction folder.
• Impact: Arbitrary files — including executables or startup items — can be written to sensitive locations, enabling code execution in the context of the current user after the user opens the file or reboots. The practical outcome is user‑context remote code execution that can be chained into persistence and follow‑on activity.

Affected products and patch status​

• Affected: Windows builds of WinRAR, specifically versions at or below the affected builds documented by vendor advisories; vendor communications and vulnerability trackers list WinRAR 7.11 and earlier as vulnerable, with patched builds released (WinRAR 7.12 beta and subsequent stable releases).
• Patching: RARLAB published updates; because WinRAR lacks an automatic update mechanism, manual installation of the patched binary is required. Several security vendors and trackers mirrored the vendor advisory and ZDI advisory.

Exploitation and real‑world use​

• Evidence: Public PoCs and proof‑of‑concept code appeared shortly after disclosure; multiple security advisories flagged exploitation attempts and targeted campaigns that weaponized WinRAR path‑traversal issues in phishing campaigns. Threat research firms tied related exploitation patterns to targeted actors in some cases. There is credible public reporting of in‑the‑wild abuse tied to WinRAR path‑traversal bugs in 2025.

Why this matters to Windows administrators​

• Attack vector is low friction: convincing a user to open an archive is trivial via phishing or trojanized downloads.
• Ubiquity amplifies impact: WinRAR’s large installed base makes opportunistic campaigns effective.
• Remediation friction: many users run older WinRAR builds and administrators have to track and update endpoint application inventories accordingly.

---

What we know: CVE-2025-62221 (Microsoft Windows — Cloud Files Mini Filter Driver Use‑After‑Free)​

The technical summary​

• Vulnerability: A use‑after‑free in the Windows Cloud Files Mini Filter Driver (cldflt.sys) that can be abused by an authenticated local actor to escalate privileges.
• Impact: Local authenticated attacker → elevation to SYSTEM (kernel privileges). The bug is a memory‑corruption vulnerability in a driver that sits at a privileged boundary between user and kernel.

Affected products and vendor response​

• Affected: Multiple Windows client and server versions where the Cloud Files mini‑filter is present (various Windows 10/11 and Server SKUs as described in vendor advisories).
• Patching: Microsoft released updates as part of its December 2025 security updates (Patch Tuesday), and vendor guidance describes the patched OS builds and recommended update paths. Security vendors and public advisories documented the flaw in their Patch Tuesday summaries.

Exploitation and operational context​

• Evidence: Microsoft indicated active exploitation in some reporting; multiple security vendors (Tenable, Check Point, and others) flagged the issue as being used in the wild or as a zero‑day at the time of disclosure. The exploitation model is local, meaning the attacker must already have some code execution capability with lower privileges on the host (e.g., via a malicious installer or a successful phishing drop), then escalate to SYSTEM via the driver bug.

---

How these two entries interact with the KEV / BOD 22‑01 framework​

• The KEV catalog is explicitly evidence‑driven: additions follow credible telemetry that a CVE is being used by adversaries.
• Once a CVE is added, FCEB agencies are required to remediate within the timeline set by the KEV entry or follow the compensating control and isolation guidance in BOD 22‑01. This turns threat intelligence into an operational deadline and is intended to reduce the window of exposure.
• For enterprises outside the FCEB, KEV entries are not legally binding but function as a de facto prioritization rubric. Treat KEV additions as high‑urgency items in vulnerability management programs.

---

Tactical remediation checklist (immediate steps)​

Follow this prioritized list when responding to these specific KEV additions.

• Inventory and exposure assessment
• Identify all endpoints with WinRAR installed and enumerate versions (WinRAR 7.11 and earlier flagged as vulnerable in multiple vendor advisories). Use software inventory tools and EDR/patch management consoles to produce a definite list.
• Patch or update (WinRAR)
• Update WinRAR to the vendor‑supplied patched build (install the latest WinRAR release; do this manually if auto‑update is not available).
• For managed fleets, push the patched installer through endpoint management (SCCM/Intune/third‑party MDM) and enforce version gates.
• Patch or mitigate (Windows kernel EoP)
• Apply Microsoft’s security updates that address the Cloud Files mini‑filter driver vulnerability to affected Windows builds as soon as possible. Prioritize high‑exposure hosts (developer laptops, jump hosts, servers with user access).
• Compensating controls (if you cannot patch immediately)
• WinRAR: block archive attachments from unknown senders at the mail gateway, disable automatic extraction features, and restrict execution of dropped executables (application allowlisting).
• Windows: restrict access to local accounts and limit the ability for unprivileged users to run installers. Where feasible, enable robust kernel‑mode exploit mitigation features and consolidate privilege separation.
• Hunt and triage
• WinRAR: hunt for signs of extraction to unexpected locations (Startup folders, %APPDATA%, Program Files subpaths) and look for persistence artifacts (new scheduled tasks, services, or startup LNKs).
• Cloud Files driver: hunt for suspicious local privilege escalation traces — unexpected SYSTEM processes spawned from user accounts, new services, or kernel driver loads that coincide with suspicious local activity.
• Incident response readiness
• If evidence of exploitation is found, isolate affected endpoints, collect forensic artifacts, and engage IR teams; look for follow‑on lateral movement and persistence. Escalate to law enforcement and CISA if federal incident thresholds are met and follow required reporting.

---

Detection and threat‑hunting guidance​

WinRAR (CVE‑2025‑6218)​

• Search endpoints and mail gateways for recently extracted archive files with suspicious relative paths (../ sequences) or archive entries with improbable path values.
• Monitor filesystem writes into:
• %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
• %USERPROFILE%\AppData\Roaming
• Any unusual location where executable content should not appear
• Yara/EDR rules can flag suspicious LNK creation patterns and unexpected execution from user profile locations. Public PoC code demonstrates extraction to Startup; detect that pattern.

Cloud Files mini‑filter (CVE‑2025‑62221)​

• Focus on local privilege escalation indicators: new SYSTEM‑level processes initiated from user contexts, unexpected driver loads, suspicious IOCTL interactions if visible, and unusual process token changes.
• Hunt for unusual device or driver objects and examine Event Tracing for Windows (ETW) traces around the time of suspected exploitation.
• Use kernel‑mode telemetry where available (kernel event logs, EDR kernel sensors) to detect memory‑corruption attempts or exploitation chains.

---

Risk analysis: strengths, weaknesses, and operational tradeoffs​

Strengths of public disclosure and KEV listing​

• Rapid prioritization: KEV forces organizations — especially federal agencies — to accelerate remediation and reduce exposure windows.
• Visibility: public advisories and tracker data make it easier to hunt and patch.
• Vendor accountability: KEV listings frequently coincide with robust vendor patch cycles and coordinated disclosures.

Weaknesses and practical risks​

• Patch fatigue and legacy systems: many organizations cannot patch immediately without risking service disruption; endpoints may run unmanaged WinRAR installs that slip through inventory tools.
• User interaction vector (WinRAR) remains hard to fully remove: users continue to open attachments and download archives; blocking all archive usage is often operationally infeasible.
• Local exploitation model (Windows driver) means that preventing initial footholds remains critical — privilege escalation is the second step of an intrusion but is often the final step to full system compromise.

Operational tradeoffs​

• Forced two‑week remediation (or other short windows) under BOD 22‑01 imposes heavy operational demands. Organizations must weigh the risk of rapid patching (possible regressions, service interruptions) against the increased exploitation risk if they wait. Compensating controls (network isolation, host hardening, allowlisting) are valid temporary measures but are operationally intensive to implement consistently.

---

Policy and governance implications for Windows administrators and CISOs​

• Vulnerability management programs must prioritize evidence‑driven lists (KEV, vendor exploit advisories) over raw CVE volume. Treat KEV entries as “must‑fix” in triage workflows.
• Asset inventory accuracy is non‑negotiable: absent a reliable baseline you cannot guarantee remediation compliance. Implement continuous software inventory to locate unmanaged WinRAR installations and unmanaged Windows hosts that may be missing critical OEM updates.
• Test and rollback plans must be battle‑tested: aggressive remediation windows make it essential to have staging, rollback, and compatibility testing that minimize business disruption.
• Communication: executive stakeholders need concise risk briefings: what is exposed, remediation plan, and residual risk if full remediation cannot occur within the mandated window.

---

Practical recommendations for WindowsForum readers (summary checklist)​

• Immediate (next 24–72 hours)
• Patch Windows hosts with Microsoft’s December 2025 updates that address the Cloud Files mini‑filter vulnerability.
• Update WinRAR to the vendor’s patched release (install latest stable now).
• Block or quarantine suspicious archive attachments at mail gateway and scan archives for crafted path entries.
• Short term (1–2 weeks)
• Run organization‑wide hunts for persistence artifacts and unexpected extractions to Startup/profile directories.
• Apply allowlisting for application execution in sensitive zones and limit ability for unprivileged users to create services or scheduled tasks.
• Medium term (30–90 days)
• Improve software inventory (MDM, SCCM, vulnerability scanners) to reduce unknowns.
• Harden privilege boundaries: minimize local admin access, tighten user privileges, and enforce least privilege.
• Long term
• Adopt a risk‑based remediation posture that uses KEV and high‑confidence telemetry to drive SLAs.
• Invest in endpoint protection that offers kernel‑level telemetry and automated rollback support for risky updates.

---

Caveats, verification, and a note on source material​

The described technical details for CVE‑2025‑6218 and CVE‑2025‑62221 are corroborated by primary vulnerability records (NVD/CNA/ZDI), vendor advisories, and multiple security vendors’ Patch Tuesday analyses that document vendor fixes and in‑the‑wild activity. For CVE‑2025‑6218 there are public proof‑of‑concept artifacts and vendor release notes that show patched WinRAR builds; for CVE‑2025‑62221 Microsoft’s update guidance and third‑party Patch Tuesday summaries describe the affected driver and the applicable mitigation steps. Note: direct retrieval of CISA’s specific alert page mentioned in community summaries was attempted but blocked by access restrictions in the retrieval method used during reporting; the KEV mechanism and the BOD 22‑01 expectations are well‑documented and are reflected across public advisories and community reporting. Where the CISA alert text itself was not directly retrievable, independent vendor advisories and established vulnerability databases provide the primary factual basis used here. Readers should treat the KEV listing as an operational priority and verify the specific remediation due dates on official CISA and vendor advisories as they plan their response.

---

Final analysis and takeaway​

CVE‑2025‑6218 and CVE‑2025‑62221 are different beasts that converge on the same operational imperative: remove exploitable code paths quickly and defensibly. WinRAR’s path‑traversal issue is a classic user‑interaction vector that amplifies the need for application inventory, mail gateway hygiene, and endpoint allowlisting. The Windows Cloud Files driver bug is a kernel‑mode privilege escalation that underscores the continuing importance of rapid OS patching and minimizing initial footholds.
The KEV listing changes the calculus for federal agencies by imposing remediation timelines and serves as a strong signal to the private sector: these are not hypothetical vulnerabilities. They are being weaponized or present a realistic exploitation pathway that must be addressed immediately. Organizations that treat KEV additions as low priority will face rising operational risk and increasing likelihood of compromise.
Action now protects you later: apply vendor fixes, hunt for artifacts, and close the attack chains that let an adversary go from a user opening an archive or running a low‑privilege binary to full SYSTEM compromise. Failure to act quickly is the risk most organizations cannot afford.

---

---

Source: CISA CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA