CVE-2025-6218: WinRAR Directory Traversal Bug Opens the Door to Remote Code Execution

A newly disclosed vulnerability in RARLAB’s WinRAR, the long-standing compression utility for Windows, has exposed millions of users to a severe directory traversal flaw that could lead to remote code execution (RCE). Tracked as CVE-2025-6218 and rated CVSS 7.8, this vulnerability could allow an attacker to run arbitrary code on a victim’s machine simply by getting them to open a specially crafted archive file.

“This vulnerability allows remote attackers to execute arbitrary code on affected installations of RARLAB WinRAR,” the advisory warns.

At the heart of this issue is how WinRAR processes file paths inside archive files. The flaw lies in insufficient validation when extracting archive entries, specifically failing to properly sanitize crafted path values. By including directory traversal sequences (like ../) in a file’s path, an attacker can cause WinRAR to extract files to unexpected locations on the victim’s system.

“The specific flaw exists within the handling of file paths within archive files. A crafted file path can cause the process to traverse to unintended directories,” the advisory explains.

Once the attacker successfully writes a file to a sensitive directory—such as a startup folder or a system executable path—they can trigger arbitrary code execution when the victim opens or restarts their system.

This vulnerability requires a small but dangerous degree of user interaction. To exploit it, attackers must convince the target to open a malicious archive file—a scenario that’s easily achieved through phishing, malvertising, or drive-by downloads.

The malicious payload is typically disguised as a legitimate archive, hiding the exploit within seemingly harmless content.

RARLAB responded swiftly to the discovery, and the flaw has been addressed in WinRAR 7.12 Beta 1. Users are strongly urged to update immediately to ensure protection against this and other potentially undisclosed vulnerabilities.

Related Posts:

• Warning: Fake WinRar Websites Distributing Malware
• Google TAG Alerts on Exploitation of WinRAR Vulnerability by State-Backed Hackers
• CVE-2023-40477: WinRAR Code Execution Vulnerability
• Hackers exploit CVE-2023-38831 zero-day vulnerability in WinRAR
• APT29’s Espionage Campaign Exploits WinRAR Flaw, Targets Embassies