CISA KEV Alert: WinRAR Zero-Day Used for Malware Injection and Windows UAF RCE Under Active Attack
Ddos 
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a new mandate for federal agencies to patch their systems immediately, following evidence of active exploitation in the wild. The agency has added two critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, targeting widely used software from RARLAB and Microsoft.
The first vulnerability, CVE-2025-6218, affects the popular file compression tool WinRAR. This directory traversal flaw is particularly dangerous because it allows attackers to bypass security checks and plant malware deep within a user’s system simply by having them extract a file.
The flaw impacts WinRAR versions 7.11 and older on Windows. According to the report, the vulnerability allows malicious archives to trick the software into “silently” extracting files to sensitive locations, such as the Windows Startup folder.
“When extracting a file, previous versions of WinRAR, Windows versions of RAR, UnRAR, portable UnRAR source code and UnRAR.dll can be tricked into using a path, defined in a specially crafted archive, instead of user specified path,” the changelog notes.
The exploitation of this flaw appears to be linked to the cybercrime underground. In July 2025, a threat actor known as “zeroplayer” was observed selling a WinRAR zero-day exploit on the dark web forum Exploit.in for $80,000.
Security researchers believe this exploit was acquired by Paper Werewolf (also known as GOFFEE), a hacking group that has reportedly weaponized the flaw in recent campaigns. While the attack requires user interaction—such as opening a malicious archive—the consequences are severe, potentially triggering “dangerous code execution the next time the user logs into Windows”.
The second vulnerability, CVE-2025-62221, strikes at the heart of the Windows operating system. It is a privilege escalation flaw located in the Windows Cloud Files Mini Filter Driver .
Microsoft describes the issue as a “Use after free” vulnerability. “Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally,” the advisory explains.
Successfully exploiting this flaw grants an attacker SYSTEM privileges, the highest level of access on a Windows machine. While Microsoft has not disclosed the specific mechanics of the exploit, the flaw has been attributed to the Microsoft Threat Intelligence Center (MSTIC).
Given the active exploitation of these flaws, CISA has set a strict deadline. Federal Civilian Executive Branch (FCEB) agencies are required to remediate these vulnerabilities by December 30, 2025, to secure their networks against these evolving threats.
Related Posts:
- CVE-2025-6218: WinRAR Directory Traversal Bug Opens the Door to Remote Code Execution
- Microsoft Patches Three Zero-Days Including Active Cloud Files UAF to SYSTEM and Copilot RCE
- Warning: Fake WinRar Websites Distributing Malware
- Beyond the Inbox: How a Cyber-Espionage Group Is Exploiting Two WinRAR Vulnerabilities
Donate