The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Tuesday added a security flaw impacting the WinRAR file archiver and compression utility to its Recognized Exploited Vulnerabilities (KEV) catalog, citing proof of energetic exploitation.
The vulnerability, tracked as CVE-2025-6218 (CVSS rating: 7.8), is a path traversal bug that would allow code execution. Nevertheless, for exploitation to succeed, it requires a potential goal to go to a malicious web page or open a malicious file.
“RARLAB WinRAR accommodates a path traversal vulnerability permitting an attacker to execute code within the context of the present person,” CISA stated in an alert.
The vulnerability was patched by RARLAB with WinRAR 7.12 in June 2025. It solely impacts Home windows-based builds. Variations of the instrument for different platforms, together with Unix and Android, usually are not affected.
“This flaw might be exploited to position information in delicate areas — such because the Home windows Startup folder — probably resulting in unintended code execution on the following system login,” RARLAB famous on the time.
The event comes within the wake of a number of experiences from BI.ZONE, Foresiet, SecPod, and Synaptic Safety, the vulnerability has been exploited by two totally different risk actors tracked as GOFFEE (aka Paper Werewolf), Bitter (aka APT-C-08 or Manlinghua), and Gamaredon.
In an evaluation printed in August 2025, the Russian cybersecurity vendor stated there are indications that GOFFEE could also be exploited CVE-2025-6218 together with CVE-2025-8088 (CVSS rating: 8.8), one other path traversal flaw in WinRAR, in assaults focusing on organizations within the nation in July 2025 through phishing emails.
It has since emerged that the South Asia-focused Bitter APT has additionally weaponized the vulnerability to facilitate persistence on the compromised host and finally drop a C# trojan by way of a light-weight downloader. The assault leverages a RAR archive (“Provision of Info for Sectoral for AJK.rar”) that accommodates a benign Phrase doc and a malicious macro template.
“The malicious archive drops a file named Regular.dotm into Microsoft Phrase’s world template path,” Foresiet stated final month. “Regular.dotm is a world template that hundreds each time Phrase is opened. By changing the reputable file, the attacker ensures their malicious macro code executes robotically, offering a persistent backdoor that bypasses customary electronic mail macro blocking for paperwork obtained after the preliminary compromise.”
The C# trojan is designed to contact an exterior server (“johnfashionaccess[.]com”) for command-and-control (C2) and allow keylogging, screenshot seize, distant desktop protocol (RDP) credential harvesting, and file exfiltration. It is assessed that the RAR archives are propagated through spear-phishing assaults.
Final however not least, CVE-2025-6218 has additionally been exploited by a Russian hacking group often known as Gamaredon in phishing campaigns focusing on Ukrainian navy, governmental, political, and administrative entities to contaminate them with a malware known as Pteranodon. The exercise was first noticed in November 2025.
“This isn’t an opportunistic marketing campaign,” a security researcher who goes by the identify Robin stated. “It’s a structured, military-oriented espionage and sabotage operation per, and sure coordinated by, Russian state intelligence.”
It is price noting that the adversary has additionally extensively abused CVE-2025-8088, utilizing it to ship malicious Visible Primary Script malware and even deploying a brand new wiper codenamed GamaWiper.
“This marks the primary noticed occasion of Gamaredon conducting harmful operations reasonably than its conventional espionage actions,” ClearSky stated in a November 30, 2025, submit on X.
In gentle of energetic exploitation, Federal Civilian Govt Department (FCEB) businesses are required to use the required fixes by December 30, 2025, to safe their networks.
