The U.S. Cybersecurity and Infrastructure Security Agency added a WinRAR path traversal vulnerability, tracked as CVE-2025-6218, to its Known Exploited Vulnerabilities catalog after finding evidence of active exploitation. CISA described the flaw as capable of enabling code execution in the context of the current user and assigned a CVSS score of 7.8; exploitation requires a target to visit a malicious page or open a malicious file, the agency said in its alert.
RARLAB issued a patch in June 2025 with WinRAR 7.12 and said the bug affects only Windows builds. The vendor warned that the flaw could be abused to place files in sensitive locations such as the Windows Startup folder, potentially causing unintended code execution on the next login.
Security vendors and incident responders reported multiple exploitation instances attributed to at least three different threat groups, named GOFFEE, Bitter (also tracked as APT-C-08 or Manlinghua) and Gamaredon. Independent analyses and reports from several firms have tracked the use of the WinRAR vulnerability in targeted attacks; some researchers have published detailed write-ups and technical breakdowns.
Analysts reported that Bitter has used specially crafted RAR archives that drop a malicious Normal.dotm template into Microsoft Word’s global template path, ensuring a macro executes every time Word opens and creating persistence. Researchers linked the activity to a lightweight downloader that subsequently drops a C# trojan designed to contact an external command-and-control server and perform keylogging, screenshot capture, remote desktop credential harvesting and file exfiltration; the malicious archives are assessed to be distributed via spear-phishing, researchers said.
Gamaredon has been observed using the same WinRAR flaw in phishing campaigns against Ukrainian military, government and administrative targets to deliver malware known as Pteranodon, according to a security blog that tracked the operations. Reporting also tied a separate WinRAR path traversal (CVE-2025-8088) to distribution of Visual Basic Script malware and the deployment of a new wiper called GamaWiper in observed destructive incidents.
Because CISA has documented active exploitation, Federal Civilian Executive Branch agencies are required to apply fixes to affected systems by December 30, 2025. Organizations using WinRAR on Windows are advised to update to the fixed release (WinRAR 7.12) and to treat suspicious archives and phishing messages with caution.