WinRAR Directory Traversal Vulnerability (CVE-2025-6218) Enables Remote Code Execution via Malicious Archives
June 26th, 2025
Severity Level: High

Technical Details
CVE ID: CVE-2025-6218
Severity: High (CVSS 7.8)
Exploitation Method: Malicious archive file with directory traversal payload.
Tactics: Social engineering through email or website luring.
Goal: Remote Code Execution, initial access, and potential persistence.
Affected Versions: WinRAR 7.11 and prior versions.
The vulnerability originates from improper sanitization of file paths during archive extraction. A malicious archive can contain directory traversal sequences (e.g. ‘../’), which cause WinRAR to bypass the intended extraction folder and write files to arbitrary paths. Upon extraction, these payloads can be placed in sensitive locations, such as startup directories (e.g., Startup, %AppData%\Microsoft\Windows\Start Menu\Programs\Startup), which would enable automatic execution when the system is rebooted.
Our Cyber Threat Intelligence Unit has identified a vulnerability affecting installations of WinRAR in Windows, tracked as CVE-2025-6218. This vulnerability, which requires user interaction, allows attackers to exploit directory traversal techniques by using specially crafted archive files. This allows them to place arbitrary files outside the intended extraction path, which can result in adversaries achieving remote code execution (RCE) by targeting sensitive directories, such as system startup folders.
CVE-2025-6218 is particularly dangerous when combined with social engineering tactics, such as phishing, which can trick victims into opening a malicious link or file. Once opened, payloads can be installed undetected and executed upon system reboot, potentially resulting in a complete system compromise. The vulnerability was reported and acknowledged by RARLAB, the developers of WinRAR, who have issued a security patch in version 7.12 Beta 1 to address the issue.

Impact
Successful exploitation can result in:
Execution of arbitrary code with current user privileges.
Unauthorized file creation or overwriting on the victim's system
Complete system compromise, particularly under administrative contexts.
Potential attacks via email attachments, drive-by downloads, phishing campaigns, or as part of supply-chain and malvertising strategies.
Bypass of traditional sandbox or AV detection if the file appears legitimate during download.
This vulnerability is particularly dangerous due to WinRAR’s widespread use by businesses, home users, and organizational IT systems. Attackers can exploit this vulnerability by delivering malicious archives through phishing emails, drive-by downloads, or embedding them within seemingly legitimate software packages.
Detection Method
To identify signs of exposure or exploitation:
Monitor startup directories: Look for files extracted from archives that write to unusual directories, especially system paths, startup folders, or ‘%APPDATA%’.
Audit recently extracted files: Create an alert for new executable or script files generated during archive extraction processes.
Check WinRAR version: Scan systems for versions of WinRAR ≤ 7.11, as they are particularly vulnerable.
Review email and web traffic: Flag download activity involving suspicious .rar or
.zip files.Leverage endpoint protection solutions: Flag archive extraction activity from untrusted or suspicious sources.
Indicators of Compromise
There are no Indicators of Compromise (IOCs) for this advisory.

Recommendations
Patch immediately: Upgrade to WinRAR v7.12 Beta 1 (released June 10, 2025), and look for the final release, which is expected soon.
Enforce update policy: Apply to all Windows-based installations of WinRAR, RAR, UnRAR, and UnRAR.dll.
Harden defenses:
Block `.rar` file downloads from external or untrusted sources at the email/web gateway.
Promote phishing awareness and caution around opening archives.
Audit environments: Search for vulnerable WinRAR installations and ensure compliance.
Deploy monitoring for file creation anomalies: Especially in sensitive or startup environments.
Enable execution protection: Use application whitelisting to prevent the execution of binaries from temporary or extracted folders.
Conclusion
CVE-2025-6218 poses a significant security threat due to its high severity, ease of exploitation via social engineering, and potential for complete system takeover. By exploiting this directory traversal vulnerability, threat actors can place and execute files in unintended system paths, potentially compromising machines with minimal user interaction. Due to active exploitation in the wild and confirmed abuse in targeted attacks, organizations and individuals must prioritize applying the WinRAR 6.24 update and enhance controls around archive file handling. Addressing this threat now is crucial for preventing severe malware infections and maintaining endpoint security. We urge organizations to implement archive-handling policies, detection capabilities, and patch management to defend against this emerging threat.