CVE-2025-6218 and CVE-2025-62221 Hit CISA KEV

CISA has added CVE-2025-6218 and CVE-2025-62221 to its Known Exploited Vulnerabilities (KEV) catalog, signaling active real-world exploitation and immediate remediation requirements for federal agencies and private sector organizations. These flaws represent high-impact risks: a directory-traversal remote code execution in WinRAR and a use-after-free privilege escalation in the Windows Cloud Files Mini Filter Driver. Security teams must prioritize patching to disrupt ongoing threat actor campaigns targeting these vulnerabilities.

WinRAR’s Dangerous Directory Escape(CVE-2025-6218)

Attackers exploit CVE-2025-6218 by crafting malicious RAR archives that bypass extraction safeguards, writing files to arbitrary system locations and executing code upon user interaction. Commonly spread via phishing attachments or tainted downloads, this flaw turns a simple archive open into full system compromise, evading many antivirus solutions due to WinRAR’s ubiquity. Its KEV elevation underscores confirmed attacks, demanding scans for outdated WinRAR versions across enterprise fleets.

Windows Cloud Files Escalation Nightmare (CVE-2025-62221)

CVE-2025-62221 stems from a use-after-free error in Microsoft’s Cloud Files Mini Filter Driver, enabling local attackers with low privileges to elevate to SYSTEM level and achieve kernel-level control. Common on Windows systems with OneDrive or similar cloud sync features, this flaw chains easily with initial footholds like phishing or drive-by downloads, facilitating persistence, lateral movement, and data exfiltration. Microsoft addressed it in the December 2025 Patch Tuesday release, but unpatched systems remain prime targets.

Why KEV Addition Demands Action Now

KEV listings mandate federal agencies to patch by specified deadlines—often within weeks—while serving as a wake-up call for all organizations to apply the same urgency. Both vulnerabilities carry CVSS scores in the high-to-critical range and are assessed as immediate risks due to confirmed exploits, potentially leading to full domain compromise when combined. Vulnerability managers should integrate these into top-tier remediation queues, leveraging tools like Qualys or Tenable for rapid asset discovery and patch deployment.

Action Plan for Defenders

Security operations must immediately inventory affected assets: scan for WinRAR installations and Cloud Files driver usage across Windows fleets. Deploy patches from RARLAB and Microsoft without delay, prioritizing internet-facing and high-value systems like admin workstations and servers. Implement compensating controls such as blocking untrusted archive extraction, restricting local privileges, and enhancing EDR rules for anomalous file writes or privilege escalations. Proactive threat hunting should focus on related IOCs, including suspicious archive handling and SYSTEM process anomalies from the past 30 days.

Long-Term Resilience Strategies

Beyond patching, organizations should enforce least-privilege principles, disable unnecessary cloud sync drivers where feasible, and educate users on archive risks. Regularly audit KEV updates via CISA feeds and correlate with vulnerability scanners to maintain prioritization. By treating these KEV entries as mission-critical, teams can minimize breach risks and stay ahead of evolving threat landscapes in 2025.