CVE-2025-6218 WinRAR Directory Traversal Vulnerability

🔍 Overview

CVE-2025-6218 is a directory traversal vulnerability discovered in WinRAR, the widely used file archiving tool for Windows. The flaw allows attackers to craft malicious archive files (e.g., .rar, .zip) that, when extracted, place files outside the intended extraction directory—potentially into critical system locations.

This vulnerability poses a significant risk because it enables arbitrary file write, which can be escalated to remote code execution (RCE) under certain conditions.

⚙️ Technical Breakdown

Root Cause:

The vulnerability lies in improper sanitization of archive file paths during extraction. Specifically:

• Malicious archives may include relative paths (..\) or absolute paths (C:\...) in file headers.
• WinRAR fails to properly validate and restrict these paths, allowing files to be written outside the user’s chosen directory.

Exploitation Scenario:

1. An attacker sends or tricks a user into downloading and opening a specially crafted archive.
2. Upon extraction, files are written into sensitive directories:
   • For example:
     • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\malware.exe
     • This ensures the file is executed at next login without any further user interaction.
3. Payload execution may lead to:
   • Installation of remote access tools (RATs)
   • Ransomware deployment
   • Data theft or privilege escalation

Key Notes:

• User interaction is required, i.e., the victim must open the malicious archive and initiate extraction.
• The attack is stealthy, as no immediate symptoms may be noticed post-extraction.

🧪 Discovery and Disclosure

• Reported by: Researcher whs3-detonator via Trend Micro’s Zero Day Initiative (ZDI-CAN-27198).
• Public Disclosure: June 2025
• Security Advisory: Published on multiple platforms, including GitHub and NIST NVD.

🧯 Affected Versions

• Windows WinRAR ≤ 7.11 Windows RAR / UnRAR / UnRAR.dll
• Unix/Linux Portable UnRAR Source ❌ Not affected
• Android WinRAR for Android ❌ Not affected

🛠️ Mitigation and Patch

✅ Patched Version:

• WinRAR 7.12 beta 1 (Released: June 10, 2025)
• The update fixes the directory traversal logic, restricting extracted file paths to the selected destination folder.

🔄 Update Instructions:

• Download from official site: https://www.win-rar.com
• Verify version post-install via: Help > About WinRAR

🔒 Additional Mitigations (for enterprise):

• Block execution from user profile Startup folders
• Implement endpoint detection to monitor unusual archive extraction activity
• Restrict unknown file types from being opened automatically via mail or browser
• Disable file execution in temp directories using Group Policy or EDR

📌 Final Recommendation

WinRAR is a commonly installed tool on enterprise and personal systems, making this vulnerability highly impactful. Although user interaction is required, the simplicity of luring users into extracting an archive means mass exploitation is plausible via phishing or drive-by downloads.

Action Now: Upgrade to WinRAR 7.12 beta 1 or newer. Enterprises should monitor archive activity and enforce attachment restrictions at the email and browser level.