WinRAR Vulnerability CVE-2025-6218 Under Active Attack by Multiple Threat Groups

WinRAR Vulnerability CVE-2025-6218 Under Active Attack

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-6218, a path traversal vulnerability in WinRAR, to its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability, with a CVSS score of 7.8, has been actively exploited by at least three threat actors – GOFFEE, Bitter, and Gamaredon – since July 2025.

Ideal security models assume timely patching and user awareness, however, real-world deployment lags and successful phishing campaigns demonstrate persistent risk. Failure to address this vulnerability can lead to code execution, data exfiltration, and potential system compromise, with estimated remediation costs reaching into the millions for large organizations.

Key Insights

• CVE-2025-6218 added to CISA KEV catalog: December 2025
• Path traversal vulnerabilities: Allow attackers to access files and directories outside the intended root, potentially leading to code execution.
• APT Groups Exploiting: GOFFEE, Bitter, and Gamaredon are leveraging the vulnerability for espionage, persistence, and wiper deployment.

Practical Applications

• Use Case: Gamaredon uses CVE-2025-6218 to deliver Pteranodon malware to Ukrainian entities.
• Pitfall: Relying solely on email security filters; attackers bypass these using RAR archives containing malicious macro templates.

References:

• https://thehackernews.com/2025/12/warning-winrar-vulnerability-cve-2025.html