- A path traversal vulnerability in the Windows version of WinRAR (CVE-2025-6218) enables code execution and has active exploitation.
- The flaw allows attackers to place files in sensitive locations, such as the Windows Startup folder, causing code to run on user login.
- Several advanced threat actors, including GOFFEE, Bitter (APT-C-08), and Gamaredon, have exploited this vulnerability in targeted phishing campaigns.
- Bitter uses the vulnerability to drop a C# trojan via a malicious RAR archive with a macro-enabled Word document, enabling persistence and data theft.
- Federal Civilian Executive Branch agencies must apply patches by December 30, 2025, following the advisory from the U.S. Cybersecurity and Infrastructure Security Agency.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical vulnerability affecting the Windows version of the WinRAR file compression tool to its Known Exploited Vulnerabilities catalog on December 9, 2025. The flaw, tracked as CVE-2025-6218 with a CVSS score of 7.8, is a path traversal vulnerability that could allow code execution if a user opens a malicious file or visits a crafted webpage.
The vulnerability permits attackers to place files in sensitive locations, such as the Windows Startup folder, potentially triggering code execution upon system login. RARLAB patched this issue in WinRAR 7.12 released in June 2025. Other platform versions, including Unix and Android, are unaffected.
Multiple cybersecurity firms report that threat actors have exploited this vulnerability in attacks. The adversaries include GOFFEE (aka Paper Werewolf), Bitter (also known as APT-C-08 or Manlinghua), and Gamaredon. GOFFEE reportedly combined CVE-2025-6218 with another WinRAR path traversal flaw (CVE-2025-8088) in phishing campaigns targeting organizations in Russia in mid-2025.
The South Asia–focused Bitter APT group weaponized the vulnerability by delivering a malicious RAR archive named “Provision of Information for Sectoral for AJK.rar.” This archive contains a benign Word document alongside a malicious macro template that drops a file named Normal.dotm into the global template path of Microsoft Word. According to Foresiet, “Normal.dotm is a global template that loads every time Word is opened. By replacing the legitimate file, the attacker ensures their malicious macro code executes automatically, providing a persistent backdoor that bypasses standard email macro blocking.” The dropped C# trojan communicates with the server johnfashionaccess[.]com for command and control, enabling keylogging, screenshot capture, remote desktop protocol credential theft, and data exfiltration.
Additionally, the Russian group Gamaredon utilized CVE-2025-6218 in phishing campaigns targeting Ukrainian military and government institutions. They deployed a Malware called Pteranodon, with operations first observed in November 2025. A security researcher named Robin described the campaign as “a structured, military-oriented espionage and sabotage operation consistent with, and likely coordinated by, Russian state intelligence.” Gamaredon has also extensively exploited CVE-2025-8088 for delivering Visual Basic Script malware and a destructive wiper known as GamaWiper, marking a shift from espionage to destructive actions.
Federal Civilian Executive Branch agencies are required to implement patches for this vulnerability by December 30, 2025, to protect their systems. Detailed information about the vulnerability and advisories can be found at the CVE-2025-6218 entry and the CISA Known Exploited Vulnerabilities catalog.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Ethereum Price Rebounds Amid Whale Buying and Rate Cut Hopes
- Elliptic Unveils AI-Driven Crypto Fraud Network Analysis
- 10x Research: Retail-Institutional Bitcoin Volatility Gap to Close
- Strive Launches $500M ATM Offering to Boost Bitcoin Holdings
- Jakarta Tops Tokyo as World’s Largest Urban Area in 2025, Boosting Growth
