WinRAR Flaw (CVE-2025-6218): Remote Code Execution via Directory Traversal, Patch Available!
Trend Micro recently received a confidential report from a security researcher disclosing a critical vulnerability in WinRAR version 7.11 and earlier. This high-risk flaw allows threat actors to execute arbitrary code by crafting malicious archive files.
The attack vector is as follows: a hacker distributes a specially crafted archive online. Once a user downloads and opens the archive with WinRAR, the vulnerability is triggered, executing pre-configured code—such as initiating a connection to a command-and-control (C2) server to download a malicious payload.
This vulnerability, tracked as CVE-2025-6218, carries a CVSS score of 7.8 and arises from a directory traversal issue within WinRAR. While a patch has been issued in WinRAR 7.12 Beta 1, the stable version has not yet been updated.
CVE-2025-6218 is classified as a Remote Code Execution (RCE) vulnerability, enabling attackers to run malicious code within the context of the current user. Though exploitation requires user interaction, the overall risk remains severe.
The core of the exploit lies in the manipulation of file paths within archive contents, which can cause the WinRAR process to traverse into unintended directories. This form of path traversal bypasses standard security constraints, allowing files to be written outside the intended extraction path.
Such vulnerabilities are particularly dangerous when combined with other attack techniques, potentially leading to full system compromise. Technical analysis confirms the flaw lies within WinRAR’s file path processing routines during archive handling.
The vulnerability was discovered and privately reported by security researcher whs3-detonator, who disclosed the issue to Trend Micro. Upon verification, Trend Micro coordinated disclosure with WinRAR, resulting in a patch.
This vulnerability poses a significant threat to both individuals and enterprises. A simple phishing campaign involving a seemingly benign archive file could entice users to unknowingly activate the exploit—causing damage even at the personal level.
For enterprises, the implications are far more severe. Attackers could leverage WinRAR as an entry point into corporate networks, deploying malware that facilitates data theft or encrypts sensitive files via ransomware.
It is therefore imperative for organizations heavily reliant on WinRAR to immediately upgrade to WinRAR 7.12 Beta 1, and simultaneously reinforce employee cybersecurity training to discourage the downloading of files or archives from untrusted online sources.
