Technology

Vulnerability in WinRAR is being actively exploited by several groups

The US cybersecurity agency CISA has identified a serious security flaw in the widely used packaging program warned. The vulnerability with the identifier CVE-2025-6218 is currently being exploited by several attackers.

Update available for a long time

The vulnerability, which has a CVSS score of 7.8, enables a path traversal attack: Manipulated archives or crafted websites can ensure that files are stored in places where they do not actually belong, in the worst case in security-critical system directories such as the Windows startup. If such an attack is carried out successfully, malicious code can be unintentionally executed in the context of the logged in user. Only WinRAR versions for Windows are affected; versions for other operating systems do not have the problem. The manufacturer Rarlab closed the vulnerability with version 7.12 in June 2025, but many users have not yet carried out an update.

As it turns out, the vulnerability is part of several complex attack chains. Security companies such as BI.ZONE, Foresiet, SecPod and Synaptic Security report campaigns by several actors, including GOFFEE (Paper Werewolf), the Bitter APT group and the Russian hacker collective Gamaredon.

Even military attacks

GOFFEE is said to have used the vulnerability together with another WinRAR vulnerability (CVE-2025-8088) in targeted phishing attacks in the summer of 2025. The Bitter group, in turn, uses specially prepared RAR archives to set up persistent access to compromised systems. A harmless-looking Word document is delivered together with a manipulated macro template that is secretly copied into the global Word template folder. This means that a malicious macro is automatically loaded every time Word is started and serves as an entry point for a C# Trojan that can access data and communicate with an external command and control server.

The attacks by the Russian group Gamaredon, which uses the vulnerability to infect Ukrainian military and government offices with the malicious program “Pteranodon”, are particularly explosive. Experts speak of a clearly military-oriented, state-coordinated espionage and sabotage campaign. A new, destructive wiper called “GamaWiper” has now even been observed. This is a novelty for Gamaredon, which has previously been known primarily for information theft.

Share
Published by
Yasir Zeb

Recent Posts

Crash in the smartphone market: lowest sales figures in 13 years

The global smartphone market is experiencing a severe downturn, recording its worst quarter in 13…

12 hours ago

Pixel 11: Mega leak shows images and data from the new Google smartphones

Amazon made a big mistake and revealed the entire lineup of the Google Pixel 11…

12 hours ago

Top 10 Payment Card Tools for Everyday Digital Finance

A payment card is easiest to understand when users see how it fits into real…

18 hours ago

OnePlus is ‘dead’: Oppo wants to soon announce its withdrawal from the EU & USA

OnePlus will soon be history. At least in Europe and the USA. What has been…

18 hours ago

Switch 2 OLED: Nintendo is apparently planning a display upgrade after all

Nintendo is reportedly still internally planning an OLED version of the Switch 2 for the…

18 hours ago

Maps: Google launches major visual update with immersive navigation

Google appears to be starting to distribute the new immersive navigation for Google Maps. The…

18 hours ago