The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a security flaw affecting the WinRAR file archiver and compression utility to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The vulnerability, tracked as CVE-2025-6218 (CVSS score: 7.8), is a path traversal bug that allows code execution. However, a successful exploit would require the potential target to visit a malicious page or open a malicious file.
“A path traversal vulnerability exists in RARLAB WinRAR that could allow an attacker to execute code in the context of the current user,” CISA said in the alert.
This vulnerability was patched by RARLAB using WinRAR 7.12 in June 2025. Affects Windows-based builds only. Versions of the tool for other platforms, such as Unix and Android, are not affected.
“This flaw could be exploited to place files in sensitive locations such as the Windows startup folder, potentially resulting in unintended code execution at the next system login,” RARLAB noted at the time.
This development follows multiple reports from BI.ZONE, Foresiet, SecPod, and Synaptic Security, where the vulnerability is being exploited by two different threat actors tracked as GOFFEE (aka Paper Werewolf), Bitter (aka APT-C-08 or Manlinghua), and Gamaredon.
In an analysis published in August 2025, the Russian cybersecurity vendor said there are indications that GOFFEE, along with another WinRAR path traversal flaw, CVE-2025-8088 (CVSS score: 8.8), may have been exploited in attacks targeting domestic organizations via phishing emails in July 2025.
Subsequently, the South Asia-focused Bitter APT was also found to be exploiting this vulnerability to facilitate persistence on compromised hosts and ultimately drop a C# Trojan using a lightweight downloader. The attack leverages a RAR archive (“Sector Information for AJK.rar”) that contains a benign Word document and a malicious macro template.
“The malicious archive drops a file named Normal.dotm into Microsoft Word’s global template path,” Foresiet said last month. “Normal.dotm is a global template that loads every time Word is opened. By replacing legitimate files, attackers can cause malicious macro code to run automatically, providing a persistent backdoor that bypasses standard email macro blocking on documents received after the initial compromise.”
The C# Trojan is designed to connect to an external server (‘johnfashionaccess’).[.]com”) for command and control (C2) and enables keylogging, screenshot capture, Remote Desktop Protocol (RDP) credential collection, and file extraction. RAR archives are known to be propagated via spear-phishing attacks.
Last but not least, CVE-2025-6218 has been exploited by the Russian hacker group known as Gamaredon in phishing campaigns targeting military, government, political, and administrative institutions in Ukraine, infecting them with malware called Pteranodon. This activity was first observed in November 2025.
“This is not an opportunistic campaign,” said a security researcher named Robin. “This is an organized military-oriented espionage and sabotage operation consistent with and possibly coordinated by Russian state intelligence.”
It is also worth noting that attackers are extensively exploiting CVE-2025-8088, using it to distribute malicious Visual Basic Script malware and deploying a new wiper codenamed GamaWiper.
“This is the first instance in which Gamaredon has been observed conducting sabotage operations rather than traditional espionage,” Clear Sky said in a Nov. 30, 2025, post to X.
In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies have until December 30, 2025 to apply the necessary fixes to secure their networks.
Source link
