Warning: Winrar Vulnerability Cve-2025-6218 Under Active Attack By...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a security flaw impacting the WinRAR file archiver and compression utility to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

The vulnerability, tracked as CVE-2025-6218 (CVSS score: 7.8), is a path traversal bug that could enable code execution. However, for exploitation to succeed, it requires a prospective target to visit a malicious page or open a malicious file.

"RARLAB WinRAR contains a path traversal vulnerability allowing an attacker to execute code in the context of the current user," CISA said in an alert.

The vulnerability was patched by RARLAB with WinRAR 7.12 in June 2025. It only affects Windows-based builds. Versions of the tool for other platforms, including Unix and Android, are not affected.

"This flaw could be exploited to place files in sensitive locations — such as the Windows Startup folder — potentially leading to unintended code execution on the next system login," RARLAB noted at the time.

The development comes in the wake of multiple reports from BI.ZONE, Foresiet, SecPod, and Synaptic Security, the vulnerability has been exploited by two different threat actors tracked as GOFFEE (aka Paper Werewolf), Bitter (aka APT-C-08 or Manlinghua), and Gamaredon.

In an analysis published in August 2025, the Russian cybersecurity vendor said there are indications that GOFFEE may be exploited CVE-2025-6218 along with CVE-2025-8088 (CVSS score: 8.8), another path traversal flaw in WinRAR, in attacks targeting organizations in the country in July 2025 via phishing emails.

It has since emerged that the South Asia-focused Bitter APT has also weaponized the vulnerability to facilitate persistence on the compromised host and ultimately drop a C# trojan by means of a lightweight downloader. The attack leverages a RAR archive ("Provision of Information for Sectoral for AJK.rar") that contains a benign Word document and a malicious macro template.

"The malicious archive drops a file named Normal.dotm into Microsoft Word's global template path," Foresiet said last month. "Normal.dotm is a global template that loads every time Word is opened. By replacing the legitimate file, the attacker ensures their malicious macro code executes automatically, providing a persistent backdoor that bypasses standard email macro blocking for documents received after the initial compromise."

The C# trojan is designed to contact an external

Source: The Hacker News