The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has formally included a security flaw impacting the WinRAR file archiver and compression utility in its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. This vulnerability, identified as CVE-2025-6218 and having a CVSS score of 7.8, is categorized as a path traversal bug. It possesses the potential to enable remote code execution, though successful exploitation relies on a potential victim visiting a malicious webpage or opening a specifically crafted malicious file. CISA issued an alert stating that the flaw permits an attacker to execute code under the privileges of the currently logged-in user.
The vulnerability was subsequently addressed and patched by RARLAB with the release of WinRAR 7.12 in June 2025. It is important to note that the issue is specific to Windows-based builds of the software, and versions available for other operating systems like Unix and Android remain unaffected. At the time of the patch, RARLAB highlighted the severity of the flaw, noting that it “could be exploited to place files in sensitive locations — such as the Windows Startup folder — potentially leading to unintended code execution on the next system login.”
The addition of this flaw to the KEV catalog follows a series of reports from security firms like BI.ZONE, Foresiet, SecPod, and Synaptic Security, all confirming that the vulnerability has been leveraged by at least two distinct threat actors: GOFFEE (also known as Paper Werewolf) and Bitter (also known as APT-C-08 or Manlinghua), along with the Gamaredon group. An analysis published by a Russian cybersecurity vendor in August 2025 indicated that GOFFEE might have been exploiting CVE-2025-6218 in conjunction with another WinRAR path traversal flaw, CVE-2025-8088, during attacks targeting organizations in Russia in July 2025, primarily distributed through phishing emails.
Further investigation revealed that the South Asia-focused Bitter APT has also weaponized this vulnerability. Their goal was to establish persistence on a compromised host and ultimately deliver a C# trojan via a lightweight downloader. This attack technique utilizes a malicious RAR archive, in this instance named “Provision of Information for Sectoral for AJK.rar,” which deceptively contains a legitimate-looking Word document alongside a harmful macro template. As explained by Foresiet last month, “The malicious archive drops a file named Normal.dotm into Microsoft Word’s global template path.” Since the Normal.dotm file is a global template that loads every time Microsoft Word is opened, replacing the legitimate file ensures the attacker’s malicious macro code executes automatically, thereby establishing a persistent backdoor and bypassing standard security measures against email macros. The C# trojan itself is built to contact an external command-and-control server and is capable of keylogging, capturing screenshots, harvesting RDP credentials, and exfiltrating files.
Finally, the vulnerability CVE-2025-6218 has also been exploited by the Russian state-sponsored hacking group known as Gamaredon. This group has been observed using the flaw in phishing campaigns directed at Ukrainian military, governmental, political, and administrative entities with the purpose of infecting them with a malware variant referred to as Pteranodon. This activity was first documented in November 2025. A security researcher characterized the campaign as “a structured, military-oriented espionage and sabotage operation consistent with, and likely coordinated by, Russian state intelligence.” This adversary has also broadly abused the related flaw, CVE-2025-8088, using it to deploy malicious Visual Basic Script malware and even a newly developed wiper malware codenamed GamaWiper. Due to the high risk of active exploitation, Federal Civilian Executive Branch (FCEB) agencies have been mandated to apply the necessary security updates by December 30, 2025.
Reference:
