Dec 10, 2025Ravie LakshmananVulnerability / Malware
The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Tuesday added a safety flaw impacting the WinRAR file archiver and compression utility to its Recognized Exploited Vulnerabilities (KEV) catalog, citing proof of energetic exploitation.
The vulnerability, tracked as CVE-2025-6218 (CVSS rating: 7.8), is a path traversal bug that might allow code execution. Nevertheless, for exploitation to succeed, it requires a potential goal to go to a malicious web page or open a malicious file.
“RARLAB WinRAR comprises a path traversal vulnerability permitting an attacker to execute code within the context of the present consumer,” CISA stated in an alert.
The vulnerability was patched by RARLAB with WinRAR 7.12 in June 2025. It solely impacts Home windows-based builds. Variations of the software for different platforms, together with Unix and Android, should not affected.
“This flaw could possibly be exploited to position information in delicate areas — such because the Home windows Startup folder — doubtlessly resulting in unintended code execution on the subsequent system login,” RARLAB famous on the time.
The event comes within the wake of a number of reviews from BI.ZONE, Foresiet, SecPod, and Synaptic Safety, the vulnerability has been exploited by two totally different risk actors tracked as GOFFEE (aka Paper Werewolf), Bitter (aka APT-C-08 or Manlinghua), and Gamaredon.
In an evaluation revealed in August 2025, the Russian cybersecurity vendor stated there are indications that GOFFEE could also be exploited CVE-2025-6218 together with CVE-2025-8088 (CVSS rating: 8.8), one other path traversal flaw in WinRAR, in assaults focusing on organizations within the nation in July 2025 through phishing emails.
It has since emerged that the South Asia-focused Bitter APT has additionally weaponized the vulnerability to facilitate persistence on the compromised host and finally drop a C# trojan by the use of a light-weight downloader. The assault leverages a RAR archive (“Provision of Info for Sectoral for AJK.rar”) that comprises a benign Phrase doc and a malicious macro template.
“The malicious archive drops a file named Regular.dotm into Microsoft Phrase’s international template path,” Foresiet stated final month. “Regular.dotm is a world template that masses each time Phrase is opened. By changing the official file, the attacker ensures their malicious macro code executes robotically, offering a persistent backdoor that bypasses commonplace electronic mail macro blocking for paperwork acquired after the preliminary compromise.”
The C# trojan is designed to contact an exterior server (“johnfashionaccess[.]com”) for command-and-control (C2) and allow keylogging, screenshot seize, distant desktop protocol (RDP) credential harvesting, and file exfiltration. It is assessed that the RAR archives are propagated through spear-phishing assaults.
Final however not least, CVE-2025-6218 has additionally been exploited by a Russian hacking group generally known as Gamaredon in phishing campaigns focusing on Ukrainian army, governmental, political, and administrative entities to contaminate them with a malware known as Pteranodon. The exercise was first noticed in November 2025.
“This isn’t an opportunistic marketing campaign,” a safety researcher who goes by the title Robin stated. “It’s a structured, military-oriented espionage and sabotage operation in step with, and certain coordinated by, Russian state intelligence.”
It is value noting that the adversary has additionally extensively abused CVE-2025-8088, utilizing it to ship malicious Visible Fundamental Script malware and even deploying a brand new wiper codenamed GamaWiper.
“This marks the primary noticed occasion of Gamaredon conducting harmful operations relatively than its conventional espionage actions,” ClearSky stated in a November 30, 2025, publish on X.
In gentle of energetic exploitation, Federal Civilian Government Department (FCEB) businesses are required to use the mandatory fixes by December 30, 2025, to safe their networks.
