WinRAR Flaw CVE-2025-6218 Exploited by Russian, Chinese, and Pakistani APTs

A path traversal vulnerability in WinRAR has become a favorite tool for nation-state hackers. CVE-2025-6218, patched by RARLAB back in June, is now being weaponized by at least three distinct APT groups targeting government organizations, military entities, and critical infrastructure across Europe, Asia, and the former Soviet states.

TL;DR

• What happened: CVE-2025-6218, a path traversal flaw in WinRAR, is under active exploitation by multiple nation-state threat actors
• Who's affected: Government organizations in Ukraine, South Asia, and Russia running WinRAR versions prior to 7.12
• Severity: High (CVSS 7.8) - Enables arbitrary file write leading to code execution
• Action required: Update WinRAR to version 7.12 or later immediately; WinRAR does not auto-update

How Does CVE-2025-6218 Work?

The vulnerability exists in how WinRAR handles file paths within archive files. A specially crafted archive can contain files with manipulated path components that, when extracted, write to locations outside the intended extraction directory.

An attacker can place malicious files in sensitive locations like the Windows Startup folder, achieving persistence and code execution the next time the victim logs in. The attack requires minimal user interaction—the victim simply needs to extract what appears to be a legitimate archive.

RARLAB fixed the flaw in WinRAR 7.12, released in June 2025. But because WinRAR lacks an automatic update mechanism, millions of installations remain vulnerable months later.

Which Threat Groups Are Exploiting It?

Gamaredon (Russia)

Ukraine's CERT first observed Gamaredon exploiting CVE-2025-6218 in November 2025. The Russia-linked group, also known as Primitive Bear or Shuckworm, has used the vulnerability in phishing campaigns targeting Ukrainian military, government, and administrative organizations.

In a notable escalation, Gamaredon deployed a new destructive payload called GamaWiper through the vulnerability. This marks a shift from the group's traditional espionage focus toward cyber sabotage—mirroring broader Russian strategy in the ongoing conflict.

Bitter (APT-C-08)

The South Asia-focused espionage group Bitter, tracked as APT-C-08, has incorporated CVE-2025-6218 into targeted campaigns against government organizations in Bangladesh, Pakistan, and India. Bitter's operations typically involve phishing emails with malicious RAR archives containing decoy documents.

Once extracted, the path traversal payload drops a backdoor into the user's startup folder. The group has historically targeted defense, energy, and government sectors in the region.

GOFFEE

Russian security firm Kaspersky identified GOFFEE exploiting both CVE-2025-6218 and CVE-2025-8088 against organizations within Russia itself during July 2025. GOFFEE is a lesser-known threat actor whose targeting of domestic Russian entities is unusual—suggesting either criminal motivation or a false flag operation.

Why WinRAR Vulnerabilities Keep Recurring

WinRAR's install base numbers in the hundreds of millions, with particularly high adoption in Eastern Europe and Asia. The software's lack of automatic updates creates a long tail of vulnerable installations that persist for years after patches are released.

CVE-2023-38831, a similar WinRAR vulnerability from 2023, remained a popular exploitation vector well into 2024 for exactly this reason. Archive-based attacks also blend seamlessly with phishing workflows—users expect to receive compressed files, and security awareness training rarely emphasizes the risks of extraction.

What Organizations Should Do

1. Inventory WinRAR installations across endpoints and servers; many organizations don't track this software
2. Deploy WinRAR 7.12 or later using software deployment tools since the application won't update itself
3. Consider alternatives like 7-Zip that receive more frequent security attention
4. Block RAR attachments at the email gateway if your organization doesn't have a business need for the format
5. Hunt for IOCs if you've received suspicious archives—check startup folders for unexpected executables

CISA added CVE-2025-6218 to its Known Exploited Vulnerabilities catalog on December 9, 2025, requiring federal agencies to patch by December 30.

Frequently Asked Questions

Is my organization vulnerable to CVE-2025-6218?

If you're running WinRAR version 7.11 or earlier on any Windows system, yes. The vulnerability only affects Windows builds—Unix and Android versions of WinRAR are not impacted. Check your version by opening WinRAR and clicking Help > About.

What should I do if we received a suspicious RAR file?

Don't extract it. Forward the file to your security team for analysis. If someone already extracted a suspicious archive, check the user's Startup folder (%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup) for unexpected files.

Are other archive tools affected?

No. This vulnerability is specific to WinRAR's implementation. 7-Zip, Windows' built-in ZIP support, and other archive utilities are not affected by CVE-2025-6218.