cbcvebase.
CVE-2025-6218
published 2025-06-21

CVE-2025-6218: RARLAB WinRAR Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected…

PriorityP185high7.8CVSS 3.0
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-12-30
Exploited in the wild
EPSS
86.19%
99.7th percentile
RARLAB WinRAR Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of RARLAB WinRAR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of file paths within archive files. A crafted file path can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27198.

Affected

3 ranges
VendorProductVersion rangeFixed in
debianrar
rarlabwinrar< 7.127.12
rarlabwinrar

Detection & IOCsextracted from sources · hover to see the quote

path%TEMP%
path%LOCALAPPDATA%
pathWindows Startup directory
filenameUpdater.lnk
filenamemsedge.dll
filenameSettings.lnk
filenameComplaint.exe
snort
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT RAR File Directory Traversal Upload (CVE-2025-6218)"; flow:established,to_server; http.request_body; content:"|52 61 72 21 1a|"; fast_pattern; content:"|2e 2e 20|"; pcre:"/(?:\x2f|\x5c{2})\x2e{2}\s+[\x2e\x2f]\w+/"; threshold:type limit, seconds 600, count 1, track by_src; reference:url,www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/; reference:cve,2025-6218; classtype:bad-unknown; sid:2066600; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2026_01_06, cve CVE_2025_6218, deployment Perimeter, confidence High, signature_severity Major, tag Exploit, updated_at 2026_01_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
snort
alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT RAR File Directory Traversal Inbound (CVE-2025-6218)"; flow:established,to_client; file.data; content:"|52 61 72 21 1a|"; fast_pattern; content:"|2e 2e 20|"; pcre:"/(?:\x2f|\x5c{2})\x2e{2}\s+[\x2e\x2f]\w+/"; threshold:type limit, seconds 600, count 1, track by_src; reference:url,www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/; reference:cve,2025-6218; classtype:bad-unknown; sid:2066599; rev:1; metadata:attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2026_01_06, cve CVE_2025_6218, deployment Perimeter, performance_impact Moderate, confidence High, signature_severity Major, tag Exploit, updated_at 2026_01_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1189, mitre_technique_name Drive_by_Compromise; target:dest_ip;)
bytes
|52 61 72 21 1a|
bytes
|2e 2e 20|
  • Detect malicious RAR archives exploiting CVE-2025-6218 by matching the RAR magic bytes (52 61 72 21 1a) combined with a path traversal pattern of double-dot followed by a space (2e 2e 20) in HTTP request bodies or inbound file data.
  • Hunt for LNK files dropped in the Windows Startup directory following RAR archive extraction, as this is the persistence mechanism used in active exploitation.
  • Monitor for msedge.dll being written to COM hijack registry locations, indicative of the Mythic Agent attack chain leveraging CVE-2025-6218.
  • Detect ADS (Alternate Data Stream) entries within RAR archives; malicious archives contain numerous hidden ADS payloads used to conceal a malicious DLL and Windows shortcut.
  • Alert on WinRAR generating multiple warnings during extraction of a single archive, as attackers deliberately add invalid ADS paths to generate harmless-looking warnings while concealing malicious payloads deeper in the file list.
  • Detect Complaint.exe (RustyClaw) spawning and downloading a MeltingClaw DLL as part of the MeltingClaw attack chain attributed to RomCom exploitation of CVE-2025-6218.
  • ·Both Snort/Suricata rules require TLS decryption (tls_state TLSDecrypt) to be effective, as the malicious RAR content may be delivered over HTTPS.
  • ·CVE-2025-6218 affects only the Windows version of WinRAR (version 7.11 and older); Unix, Android, and portable UnRAR source code are not impacted by this specific flaw.
  • ·Exploitation requires user interaction (opening a malicious archive or visiting a specially crafted page), which limits but does not eliminate risk given widespread WinRAR deployment.
  • ·Extracted malicious files run with user-level access only, not administrative or SYSTEM rights, but can still steal credentials, install persistence, or enable remote access.

CVSS provenance

nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vulncheck8.4HIGH
cisa7.8HIGH
vendor_debian7.8LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.