CVE-2025-6218

What is WinRAR?

WinRAR is a widely used Windows file archiving utility. Path traversal vulnerabilities in WinRAR's extraction engine allow maliciously crafted archives to write files outside the user-designated extraction directory, enabling attackers to place malware in startup folders, PATH directories, or application folders when a victim simply extracts an archive. WinRAR has a history of path traversal exploits — CVE-2023-38831, CVE-2025-6218 (this CVE), and CVE-2025-8088 represent a multi-year pattern.

Overview

CVE-2025-6218 is a path traversal vulnerability (CWE-22) in WinRAR for Windows, distinct from and predating the related CVE-2025-8088 (August 2025) path traversal. Both target WinRAR's extraction engine on Windows, allowing maliciously crafted archives to write files to arbitrary filesystem locations outside the extraction directory. A victim extracting a malicious archive can have attacker-controlled files written anywhere on the filesystem accessible to the user. The 6-month gap between the June 2025 patch release and the December 2025 CISA KEV listing reflects that exploitation of unpatched WinRAR instances continued throughout the intervening period.

Affected Versions

Technical Details

The path traversal (CWE-22) is in WinRAR's archive extraction engine for Windows. A specially crafted archive entry uses path components that traverse above the user-specified extraction directory, allowing files to be written to arbitrary locations accessible to the user. The attack vector is Local (AV:L) in the CVSS 3.0 vector — reflecting that the victim must have the archive file locally (downloaded, received via email, USB) before extraction.

Key differences from CVE-2025-8088:

• CVE-2025-6218 (June 2025): Fixed in WinRAR 7.20; uses different path traversal technique (CWE-22, standard ../ variants)
• CVE-2025-8088 (August 2025): Fixed in WinRAR 7.13; uses ...// sequences (CWE-35)

Both are Windows-only vulnerabilities; Linux/macOS RAR versions are unaffected.

Exploitation scenario:

1. Attacker creates a malicious archive with traversal paths in entry filenames
2. Delivers via phishing email, download link, or file sharing
3. Victim double-clicks to extract — typical user behavior
4. Attacker's payload is written to startup folder, application directory, or other accessible path
5. Code executes on next reboot or application launch

Discovery

Not publicly attributed.

Exploitation Context

The 6-month delay between patch (June 2025) and CISA KEV listing (December 2025) indicates a sustained exploitation campaign against users who hadn't applied WinRAR 7.20. WinRAR path traversal vulnerabilities have been reliably weaponized by sophisticated actors since CVE-2023-38831 (2023), and unpatched WinRAR installations remain numerous globally.

Remediation

1. Update WinRAR to version 7.20 or later (or 7.13+ if already applied — both CVE-2025-6218 and CVE-2025-8088 are fixed in 7.13+). WinRAR does not auto-update. Download from win-rar.com. The CISA deadline was December 30, 2025.
2. Verify your WinRAR version via Help → About WinRAR.
3. Block RAR archive attachments in email gateways for organizational deployments.
4. Be aware that both WinRAR path traversal CVEs (6218 and 8088) require separate attention — check you are running 7.20+ to address both.