Critical WinRAR Vulnerability CVE-2025-6218 Exploited by Multiple Threat Actors
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a significant security flaw in the WinRAR file archiver, identified as CVE-2025-6218, to its Known Exploited Vulnerabilities (KEV) catalog. This path traversal vulnerability, with a CVSS score of 7.8, allows attackers to execute code within the context of the current user. Exploitation requires the target to visit a malicious webpage or open a compromised file.
RARLAB, the developer of WinRAR, addressed this issue in June 2025 with the release of version 7.12. The vulnerability affects only Windows versions of the software; Unix and Android versions remain unaffected. The flaw could be exploited to place files in sensitive locations, such as the Windows Startup folder, potentially leading to unintended code execution upon the next system login.
Multiple cybersecurity firms, including BI.ZONE, Foresiet, SecPod, and Synaptic Security, have reported active exploitation of CVE-2025-6218 by various threat actors:
– GOFFEE (aka Paper Werewolf): In July 2025, this group targeted Russian organizations using phishing emails containing malicious archives. These archives exploited both CVE-2025-6218 and another WinRAR vulnerability, CVE-2025-8088, to execute code and display decoy documents to victims.
– Bitter APT (aka APT-C-08 or Manlinghua): Focusing on South Asian targets, Bitter APT utilized the vulnerability to establish persistence on compromised systems. They distributed RAR archives named Provision of Information for Sectoral for AJK.rar, containing a benign Word document and a malicious macro template. The attack replaced the global template file in Microsoft Word, ensuring the malicious macro executed automatically, thereby providing a persistent backdoor. The C# trojan deployed enabled keylogging, screenshot capture, RDP credential harvesting, and file exfiltration.
– Gamaredon: This Russian hacking group exploited CVE-2025-6218 in phishing campaigns targeting Ukrainian military, governmental, political, and administrative entities. The attacks aimed to deploy malware known as Pteranodon. Security researchers have characterized these operations as structured, military-oriented espionage and sabotage, likely coordinated by Russian state intelligence.
In response to these active exploitations, CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies apply the necessary patches by December 30, 2025, to secure their networks.
