WinRAR CVE-2025-6218 Path Traversal: KEV Listing and Patch Guide

Late on December 9, 2025 the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a WinRAR path‑traversal vulnerability — tracked as CVE‑2025‑6218 — to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence that attackers are actively abusing the bug in the wild; the vulnerability was patched months earlier by RARLAB, but large numbers of unpatched installations mean the risk is still real and immediate.

Background / Overview​

WinRAR has been a fixture on Windows desktops since the mid‑1990s. The RAR format and WinRAR itself date back to the early 1990s, with the WinRAR GUI first released in 1995; the tool’s longevity explains both its popularity and its exposure. The program’s long life also means it carries a lot of legacy code and support for many archive formats that few modern tools still parse. CVE‑2025‑6218 is a directory‑traversal vulnerability affecting Windows builds of WinRAR that can be abused to extract files to arbitrary locations on disk — locations such as the user Startup folders or system paths — and thereby enable execution of files with the victim’s privileges after extraction or reboot. RARLAB issued a fix in June 2025 (WinRAR 7.12 and its follow‑ups), but because WinRAR does not auto‑update, many installations remain vulnerable. This is not an isolated incident: WinRAR’s long history of archive‑format parsing has produced several high‑impact bugs — most famously the ACE‑format path‑traversal exploited in 2018 (CVE‑2018‑20250), which relied on an old unacev2.dll library and resulted in widespread abuse until the vendor removed ACE support. That episode exposed the core problem: legacy parsers + ubiquitous install base = recurring, high‑impact attack surface.

---

The technical picture: how CVE‑2025‑6218 works​

Core weakness: path sanitization failure​

At its core, CVE‑2025‑6218 is a path sanitization / directory traversal bug. When WinRAR extracts archive members that contain crafted path entries (for example, entries with repeated “../” sequences or absolute path markers), the extraction code can be tricked into writing files outside the user‑selected extraction directory. If an attacker places an executable or script in a startup or autorun location, execution follows with the privileges of the logged‑in user.

Attack model and required interaction​

This vulnerability is exploitable with low‑friction social engineering: a victim must open a malicious archive or visit a malicious page that causes the archive to be processed. There is no remote, unauthenticated “worm” vector that requires no user action; successful exploitation depends on convincing the user to interact with the malicious file. That said, the user interaction bar is low — phishing, dubious downloads, and trojanized files remain effective.

What a successful exploit can achieve​

• Place arbitrary files in sensitive locations (Startup folder, Program Files, System32 if privileges permit).
• Install persistence mechanisms (scheduled tasks, startup shortcuts, services).
• Drop loaders or droppers for additional malware (RATs, ransomware, information stealers).
• Escalate the attack chain by delivering a second‑stage payload that exploits other local weaknesses.

---

Timeline and real‑world evidence​

• Discovery and disclosure: public trackers (Zero Day Initiative/ZDI and vulnerability repositories) and RARLAB changelogs show a fix was issued in mid‑June 2025 with WinRAR 7.12 beta and subsequent stable builds. The vendor explicitly described a directory traversal extraction bug in the Windows builds and associated UnRAR components.
• Proof‑of‑concept and in‑the‑wild use: public PoC code and multiple security vendors reported weaponization soon after disclosure. Multiple security firms flagged observed exploitation by at least two distinct groups and indicated the vulnerability was used in targeted phishing and spearphishing campaigns.
• KEV listing and defensive urgency: CISA placed CVE‑2025‑6218 on the Known Exploited Vulnerabilities list on December 9, 2025, converting intelligence into an operational remediation requirement for U.S. federal agencies and signaling urgent priority for defenders outside government.
• Follow‑on WinRAR bugs in 2025: later in 2025 researchers disclosed and vendors patched a second, related directory‑traversal zero‑day (CVE‑2025‑8088), which ESET linked to active exploitation by the RomCom group; RARLAB released a further update (7.13) to address that separate issue. This sequence demonstrates that patching one bug does not immunize the product from different, functionally similar flaws.

---

Why WinRAR keeps showing up in headlines​

1) Legacy code and a broad archive codec set​

WinRAR supports a wide variety of archive formats, some of them obscure and legacy. Each additional format requires dedicated parsing code; decades‑old parsers and compatibility shims expand the attack surface compared with a modern, minimal codebase. The ACE fiasco in 2018 showed how an old third‑party DLL could be a vector decades after its inclusion.

2) Huge installed base and inertia​

Millions of Windows users have WinRAR installed out of habit, not necessity. That “installed inertia” means even when patches exist binary churn is slow: many users either don’t know to update, assume their install is harmless, or continue to run old installers from long‑forgotten backups. The lack of an automatic update mechanism makes the problem worse.

3) File parsing is a risky business​

Any application that opens, parses, and extracts files from untrusted input performs a high‑risk operation. Archive tools must process filenames, file attributes, compression metadata, and sometimes executes format‑specific filters — all of which create opportunities for subtle parsing errors that can be escalated into directory traversal, buffer overflows, or logic flaws. WinRAR’s breadth of feature support increases probability of mistakes.

4) Social and UX factors​

The common habit of opening attachments and extracting compressed files — especially on Windows where double‑clicking an archive is routine — lowers the bar for attackers. Security boundaries that rely on user caution are brittle when habit and convenience dominate behaviour. CISA’s KEV addition implicitly recognizes the operational ease with which CVE‑2025‑6218 can be abused in broad phishing campaigns.

---

What defenders — home users and admins — must do now​

Immediate actions (applies to all users)​

• Update WinRAR: Install the latest stable WinRAR build (7.12+ for CVE‑2025‑6218; later 7.13+ if concerned about other reported 2025 issues). Because WinRAR does not auto‑update, download the vendor’s installer and run it. This is the single most effective step.
• Avoid opening archives from untrusted sources: Treat unknown .rar/.zip/.7z files with the same suspicion as executables. Preview contents in an isolated VM or sandbox where possible.
• Use least‑privilege accounts: Run daily tasks under standard (non‑admin) accounts; even if a dropped binary executes, user privilege limits reduce impact.

For enterprises and managed fleets​

• Inventory all endpoints for WinRAR presence and version using MDM/CMDB tools (Intune, SCCM, Jamf, EDR inventories). Prioritize remediation where WinRAR is present on high‑risk machines (admin workstations, shared mailboxes, jump hosts).
• Push the patched WinRAR installer via management channels or deploy an enterprise policy to block older WinRAR executables until updated. Where immediate patching is impossible, consider application allow‑listing or blocking extraction to risky paths.
• Harden email gateways: block or quarantine archive attachments from low‑trust senders, remove nested archives automatically, and apply content disarm/repair (CDR) where available.
• Deploy detection rules: hunt for suspicious extraction activity writing into Startup folders, %APPDATA% locations, or unexpected Program Files subpaths. Look for newly created LNKs, scheduled tasks, and uncommon autorun entries.

Technical mitigations and compensating controls​

• Application allow‑listing (AppLocker, Microsoft Defender Application Control) to stop execution from user profile locations.
• EDR/endpoint telemetry tuned to detect execution from %APPDATA% and other nonstandard paths.
• Network segmentation to isolate high‑value assets from endpoints where users open arbitrary attachments.
• Mail sandboxing to execute and analyze attachments in a controlled environment before delivery.

---

Alternatives and longer‑term options​

• Use modern, actively maintained archive tools with smaller codebases and robust update mechanisms (for example, 7‑Zip, PeaZip, or built‑in Windows File Explorer extraction on Windows 11 where available). These alternatives support mainstream archive formats and, in many cases, update more frequently or present smaller attack surfaces for legacy formats. However, feature parity differs — power users who need WinRAR’s rar‑creation, recovery volumes, or special options should evaluate tradeoffs carefully.
• Where feasible, prefer read‑only archive inspection in a sandboxed environment or virtual machine for attachments originating from external parties.

---

Critical analysis: strength of the vendor response, and the real risk picture​

• Strengths: RARLAB patched CVE‑2025‑6218 proactively in June 2025 and released follow‑up fixes for subsequent discoveries (7.13 addressed a later RomCom‑linked issue). The vendor’s changelogs and advisories show that fixes were implemented in a timely fashion once vulnerabilities were responsibly reported.
• Weaknesses: The central weakness is distribution and update friction. WinRAR’s lack of an automatic update channel and high installed base — including long‑forgotten installs on unmanaged machines — means remediation rollouts are slow. Patch availability alone did not stop exploitation; operational realities did.
• Operational risk: The KEV listing converts observed exploitation into a high‑priority operational task for federal agencies (and a de facto priority for the private sector). That step reflects credible telemetry of in‑the‑wild abuse by multiple actors. For defenders this means an urgent mix of patching, detection, and risk containment — simple advisory language alone is not enough.
• Where the narrative can mislead: Headlines that say “WinRAR is broken again” capture attention but oversimplify. The practical reality: the vulnerability class (directory traversal during extraction) is a common parsing flaw across many archive tools historically. WinRAR’s repeated appearance owes as much to its ubiquity as to uniquely poor engineering. In some cases the problem is less “one app is uniquely insecure” and more “legacy parsers + mass adoption = repeated exploitation opportunities.” That nuance matters for firms making policy decisions.
• Unverifiable or exaggerated claims: definitive counts of successful compromises or the exact number of unpatched installs are often absent from public reporting; large‑scale infection numbers circulated on social media should be treated cautiously unless backed by vendor telemetry or coordinated industry reporting. Any number that appears without corroborating telemetry from multiple vendors should be flagged as provisional.

---

Practical detection playbook (quick checklist)​

• Search for recent filesystem writes into:
• %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
• %USERPROFILE%\AppData\Roaming (unexpected executables)
• Unusual files appearing in Program Files subfolders.
• Hunt for:
• New scheduled tasks created during a suspicious timeframe.
• LNK files in Startup created outside legitimate installers.
• Executions originating from user profile directories.
• Block and contain:
• Quarantine endpoints with suspicious writes and collect forensic artifacts (archive sample, extracted file names, timestamps).
• Follow incident response playbook for possible persistence artifacts and lateral movement.

---

Bottom line and closing assessment​

WinRAR’s recurring appearance in security bulletins is a predictable outcome of three factors: a large, often unmanaged installed base; a codebase that still parses a wide set of legacy formats; and the routine human behaviour of opening attachments without sufficient isolation. The immediate fix for CVE‑2025‑6218 is simple in concept — install the patched WinRAR build — but the operational reality is messier: manual updates, unmanaged endpoints, and human behaviour slow remediation and keep risk alive.
For home users, the practical path is straightforward: update WinRAR now if it is installed, avoid opening archive attachments from untrusted sources, and consider switching to lightweight alternatives or using built‑in Windows extraction for casual archive handling. For administrators, treat the CISA KEV listing as a prioritization order: inventory endpoints, push updates, apply temporary mitigations at mail gateways, and hunt for indicators of extraction‑to‑startup behaviour. WinRAR is not “dead” as a product, nor is it uniquely evil — but as the KEV listing shows, legacy features plus human habit create repeatable attack paths. The cure is an operational one: timely patching, sensible default controls (allow‑listing, sandboxing, least privilege), and treating archive parsing as a high‑risk activity rather than a mundane desktop convenience. Conclusion: the technical fix already exists; the urgent work now is organizational — get the patched binaries onto your endpoints, harden mail and extraction workflows, and assume that any tool that processes untrusted data is an active attack surface requiring attention.

---

Source: MakeUseOf This 30-year-old app is somehow still one of the biggest security risks on Windows