A newly disclosed security flaw in WinRAR has been added to the U S Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog after investigators confirmed that threat actors are actively abusing it.
The flaw, tracked as CVE-2025-6218 with a severity score of 7 point 8, is a path traversal issue that can allow code execution if a target user opens a malicious file or accesses a harmful webpage.
According to a CISA alert, RARLAB WinRAR contains a path traversal vulnerability that allows attackers to run code using the privileges of the current user.
Patch Released for Windows Version
RARLAB fixed the issue in WinRAR version 7 point 12 released in June 2025. The vulnerability only affects Windows builds, while Unix and Android versions remain unaffected.
The developer explained that this flaw could allow attackers to place unauthorized files in sensitive paths such as the Windows Startup directory, which may lead to unwanted code execution during the next user login.
Threat Groups Leveraging the Vulnerability
Reports from BI ZONE, Foresiet, SecPod, and Synaptic Security confirm that the flaw has been exploited by several threat groups, including GOFFEE (Paper Werewolf), Bitter (APT C 08, Manlinghua), and Gamaredon.
In an August 2025 analysis, BI ZONE noted indications that GOFFEE abused CVE-2025-6218 together with CVE-2025-8088, another WinRAR path traversal flaw, in phishing attacks targeting local organizations.
Further investigation showed that the South Asia based Bitter APT also weaponized the vulnerability. Their attack sequence uses a malicious RAR file named “Provision of Information for Sectoral for AJK.rar” containing a clean Word document and a harmful macro enabled template.
Foresiet reported that the archive plants a tampered Normal.dotm template inside Microsoft Word global template directory. This ensures the malicious macro executes every time Word opens, giving attackers a persistent backdoor that avoids standard macro blocking.
The attackers then deploy a C sharp trojan that contacts “johnfashionaccess[.]com” for command and control and can perform keylogging, screenshot capture, RDP credential theft, and file exfiltration. These infections are delivered through targeted spear phishing campaigns.
Gamaredon Targets Ukrainian Entities
The Russian aligned Gamaredon group has also exploited CVE-2025-6218 in phishing operations against Ukrainian military and government bodies, delivering the Pteranodon malware. Activity related to this campaign was first recorded in November 2025.
A researcher known as Robin stated that the operation follows a structured, military driven strategy consistent with Russian intelligence activity.
Gamaredon has also been linked to extensive abuse of CVE-2025-8088, using it to drop malicious Visual Basic Script files and a new destructive malware named GamaWiper. ClearSky reported that this marks the first observed case of the group conducting destructive actions instead of traditional espionage.
US Federal Agencies Ordered to Patch Immediately
Due to active exploitation, Federal Civilian Executive Branch (FCEB) agencies must apply the required WinRAR security updates by December 30, 2025 to protect their networks.
Found this article interesting? Follow us on Twitter , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
