The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a security flaw impacting the WinRAR file archiver and compression utility to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The vulnerability, tracked as CVE-2025-6218 (CVSS score: 7.8), is a path traversal bug that could enable code execution. However, for exploitation to succeed, it requires a prospective target to visit a malicious page or open a malicious file.
“RARLAB WinRAR contains a path traversal vulnerability allowing an attacker to execute code in the context of the current user,” CISA said in an alert.
The vulnerability was patched by RARLAB with WinRAR 7.12 in June 2025. It only affects Windows-based builds. Versions of the tool for other platforms, including Unix and Android, are not affected.
“This flaw could be exploited to place files in sensitive locations — such as the Windows Startup folder — potentially leading to unintended code execution on the next system login,” RARLAB noted at the time.
The development comes in the wake of multiple reports from BI.ZONE, Foresiet, SecPod, and Synaptic Security that the vulnerability has been exploited by three different threat actors tracked as GOFFEE (aka Paper Werewolf), Bitter (aka APT-C-08 or Manlinghua), and Gamaredon.
In an analysis published in August 2025, the Russian cybersecurity vendor said there are indications that GOFFEE may be exploited CVE-2025-6218 along with CVE-2025-8088 (CVSS score: 8.8), another path traversal flaw in WinRAR, in attacks targeting organizations in the country in July 2025 via phishing emails.
It has since emerged that the South Asia-focused Bitter APT has also weaponized the vulnerability to facilitate persistence on the compromised host and ultimately drop a C# trojan by means of a lightweight downloader. The attack leverages a RAR archive (“Provision of Information for Sectoral for AJK.rar”) that contains a benign Word document and a malicious macro template.
“The malicious archive drops a file named Normal.dotm into Microsoft Word’s global template path,” Foresiet said last month. “Normal.dotm is a global template that loads every time Word is opened. By replacing the legitimate file, the attacker ensures their malicious macro code executes automatically, providing a persistent backdoor that bypasses standard email macro blocking for documents received after the initial compromise.”
The C# trojan is designed to contact an external server (“johnfashionaccess[.]com”) for command-and-control (C2) and enable keylogging, screenshot capture, remote desktop protocol (RDP) credential harvesting, and file exfiltration. It’s assessed that the RAR archives are propagated via spear-phishing attacks.
Last but not least, CVE-2025-6218 has also been exploited by a Russian hacking group known as Gamaredon in phishing campaigns targeting Ukrainian military, governmental, political, and administrative entities to infect them with a malware referred to as Pteranodon. The activity was first observed in November 2025.
“This is not an opportunistic campaign,” a security researcher who goes by the name Robin said. “It is a structured, military-oriented espionage and sabotage operation consistent with, and likely coordinated by, Russian state intelligence.”
It’s worth noting that the adversary has also extensively abused CVE-2025-8088, using it to deliver malicious Visual Basic Script malware and even deploy a new wiper codenamed GamaWiper.
“This marks the first observed instance of Gamaredon conducting destructive operations rather than its traditional espionage activities,” ClearSky said in a November 30, 2025, post on X.
In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary fixes by December 30, 2025, to secure their networks.
