Vulnerability in WinRAR is being actively exploited by several groups
The US cybersecurity agency CISA has identified a serious security flaw in the widely used packaging program warned. The vulnerability with the identifier CVE-2025-6218 is currently being exploited by several attackers.
Update available for a long time
The vulnerability, which has a CVSS score of 7.8, enables a path traversal attack: Manipulated archives or crafted websites can ensure that files are stored in places where they do not actually belong, in the worst case in security-critical system directories such as the Windows startup. If such an attack is carried out successfully, malicious code can be unintentionally executed in the context of the logged in user. Only WinRAR versions for Windows are affected; versions for other operating systems do not have the problem. The manufacturer Rarlab closed the vulnerability with version 7.12 in June 2025, but many users have not yet carried out an update.
As it turns out, the vulnerability is part of several complex attack chains. Security companies such as BI.ZONE, Foresiet, SecPod and Synaptic Security report campaigns by several actors, including GOFFEE (Paper Werewolf), the Bitter APT group and the Russian hacker collective Gamaredon.
Even military attacks
GOFFEE is said to have used the vulnerability together with another WinRAR vulnerability (CVE-2025-8088) in targeted phishing attacks in the summer of 2025. The Bitter group, in turn, uses specially prepared RAR archives to set up persistent access to compromised systems. A harmless-looking Word document is delivered together with a manipulated macro template that is secretly copied into the global Word template folder. This means that a malicious macro is automatically loaded every time Word is started and serves as an entry point for a C# Trojan that can access data and communicate with an external command and control server.
The attacks by the Russian group Gamaredon, which uses the vulnerability to infect Ukrainian military and government offices with the malicious program “Pteranodon”, are particularly explosive. Experts speak of a clearly military-oriented, state-coordinated espionage and sabotage campaign. A new, destructive wiper called “GamaWiper” has now even been observed. This is a novelty for Gamaredon, which has previously been known primarily for information theft.
Digital marketing enthusiast and industry professional in Digital technologies, Technology News, Mobile phones, software, gadgets with vast experience in the tech industry, I have a keen interest in technology, News breaking.
