WinRAR CVE-2025-6218 Under Active Attack: Patch Now

CISA has added WinRAR vulnerability CVE-2025-6218 (CVSS 7.8) to its Known Exploited Vulnerabilities catalog, confirming active exploitation by multiple threat groups. The flaw is a path traversal issue that can enable code execution if a user visits a malicious page or opens a malicious file.

What you need to know:

• Affected software: WinRAR for Windows only. Unix and Android builds are not affected.
• Fix available: RARLAB patched the issue in WinRAR 7.12 (June 2025). Update immediately.
• Impact: The bug can place files in sensitive locations such as the Windows Startup folder, leading to code execution at the next login.

Exploitation in the wild:

• GOFFEE (also known as Paper Werewolf): Reported using CVE-2025-6218 alongside CVE-2025-8088 (CVSS 8.8) in July 2025 phishing campaigns targeting organizations in Russia, per an August 2025 analysis.
• Bitter (APT-C-08, Manlinghua): Weaponizes the flaw for persistence. A lure archive named Provision of Information for Sectoral for AJK.rar packages a benign Word document and a malicious macro template. The attack drops Normal.dotm into the global Word template path so macros auto-load, bypassing typical email macro blocking after initial compromise. A lightweight downloader then delivers a C# trojan that contacts johnfashionaccess[.]com for C2, enabling keylogging, screenshots, RDP credential theft, and file exfiltration. Distribution is via spear-phishing.
• Gamaredon (Russia-linked): Targets Ukrainian military, governmental, political, and administrative entities, deploying Pteranodon. Activity surfaced in November 2025 and has been characterized as structured, military-oriented espionage and sabotage consistent with state coordination. The group also abuses CVE-2025-8088 to deliver VBS malware and a wiper dubbed GamaWiper, marking a shift toward destructive operations noted on November 30, 2025.

Required action and mitigations:

• Upgrade to WinRAR 7.12 or later on all Windows systems; remove outdated versions.
• Federal Civilian Executive Branch agencies must apply fixes by December 30, 2025.
• Limit or inspect RAR attachments and downloads; restrict archive execution from email clients and browsers.
• Monitor for writes to Windows Startup folders and changes to the Office global template (Normal.dotm) path.
• Watch for outbound traffic to johnfashionaccess[.]com and other suspicious domains.
• Enforce strong Office macro policies and template integrity checks.
• Provide phishing awareness training to users.

Source: The Hacker News