Abstract
1. A high-severity flaw (CVE-2025-6218) in WinRAR permits attackers to execute arbitrary code by exploiting how the software program handles file paths inside archives.
2. The vulnerability allows attackers to make use of specifically crafted archive recordsdata with listing traversal sequences, resulting in distant code execution.
3. Exploitation will depend on consumer motion, reminiscent of downloading or opening a malicious archive or visiting a compromised webpage
4. RARLAB has launched a safety replace; customers ought to promptly improve WinRAR to the newest model to guard their techniques.
A extreme safety vulnerability has been recognized in RARLAB’s WinRAR software program that permits distant attackers to execute arbitrary code by means of malicious archive recordsdata.
The flaw, designated as CVE-2025-6218, carries a CVSS rating of seven.8 and impacts the dealing with of listing paths inside archive recordsdata by the extensively used file compression utility.
WinRAR RCE Flaw
The listing traversal vulnerability, formally catalogued as ZDI-25-409, represents a major safety danger for WinRAR customers worldwide.
This distant code execution (RCE) vulnerability permits attackers to execute malicious code within the context of the present consumer, although it requires consumer interplay to be efficiently exploited.
The vulnerability’s CVSS vector string AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H signifies excessive influence throughout confidentiality, integrity, and availability metrics.
The exploitation mechanism facilities on crafted file paths inside archive recordsdata that may trigger the WinRAR course of to traverse to unintended directories.
This path traversal assault bypasses regular safety boundaries, enabling attackers to write down recordsdata to areas exterior the meant extraction listing.
Such vulnerabilities are significantly harmful as a result of they’ll result in full system compromise when mixed with different assault strategies.
Technical evaluation reveals that the vulnerability exists inside WinRAR’s file path dealing with routines when processing archive recordsdata.
Safety researcher whs3-detonator, who found and reported the flaw, recognized that specifically crafted archive recordsdata containing malicious listing paths can manipulate the extraction course of.
The assault vector requires the goal consumer to both go to a malicious webpage or open a malicious archive file, making it inclined to social engineering assaults.
The technical exploitation leverages listing traversal sequences embedded inside the archive file construction.
These sequences can embrace relative path indicators reminiscent of “../” patterns that enable the attacker to navigate exterior the meant extraction listing.
As soon as profitable, the vulnerability allows arbitrary code execution with the privileges of the consumer working WinRAR.
Danger FactorsDetailsAffected ProductsRARLAB WinRAR (all variations previous to patch launched on June 19, 2025)ImpactRemote Code Execution (RCE)Exploit PrerequisitesUser interplay required (opening a malicious archive file or visiting a compromised webpageCVSS 3.1 Score7.8 (Excessive)
Mitigation
RARLAB has promptly addressed this crucial safety problem by releasing an up to date model of WinRAR.
Customers are really helpful to replace to WinRAR 7.11 to expertise quicker speeds, improved usability, and new customization choices.
The seller has revealed detailed details about the safety replace, emphasizing the significance of making use of this patch to forestall potential exploitation.
Organizations ought to prioritize this replace as a result of excessive severity ranking and the potential for distant code execution assaults focusing on their techniques.
Are you from SOC/DFIR Groups! – Work together with malware within the sandbox and discover associated IOCs. – Request 14-day free trial
