Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

A Highly Vulnerable WinRAR Exploit: Understanding the Threat and Its Implications



A critical vulnerability in WinRAR has been added to the Known Exploited Vulnerabilities (KEV) catalog by CISA, citing evidence of active exploitation. Despite being patched, the vulnerability remains a concern due to its potential impact on organizations. Organizations are required to apply the necessary fixes by December 30, 2025, to secure their networks and prevent potential exploitation.

  • CVE-2025-6218, a path traversal bug in WinRAR, has been added to the Known Exploited Vulnerabilities (KEV) catalog by CISA, citing evidence of active exploitation.
  • The vulnerability can enable code execution, but only if a target visits a malicious page or opens a malicious file and affects Windows-based builds.
  • A patch was released by RARLAB in June 2025, but the vulnerability remains a concern due to its potential impact on organizations.
  • Two threat actors, GOFFEE and Gamaredon, have exploited the vulnerability, using it to deliver malware and deploy wipers.
  • Federal Civilian Executive Branch (FCEB) agencies must apply fixes by December 30, 2025, to secure their networks.



    • CVE-2025-6218, a path traversal bug in WinRAR, has been added to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), citing evidence of active exploitation. This vulnerability, tracked as CVE-2025-6218 (CVSS score: 7.8), can enable code execution, but only if a prospective target visits a malicious page or opens a malicious file.

    The vulnerability was patched by RARLAB with WinRAR 7.12 in June 2025, and it only affects Windows-based builds. Versions of the tool for other platforms, including Unix and Android, are not affected. However, despite being patched, the vulnerability remains a concern due to its potential impact on organizations.

    In an analysis published in August 2025 by Russian cybersecurity vendor SecPod, there are indications that two different threat actors tracked as GOFFEE (aka Paper Werewolf), Bitter (aka APT-C-08 or Manlinghua), and Gamaredon have exploited the vulnerability. The attack leverages a RAR archive ("Provision of Information for Sectoral for AJK.rar") that contains a benign Word document and a malicious macro template.

    The malicious archive drops a file named Normal.dotm into Microsoft Word's global template path, replacing the legitimate file. This ensures that the attacker's malicious macro code executes automatically, providing a persistent backdoor that bypasses standard email macro blocking for documents received after the initial compromise. The C# trojan is designed to contact an external server ("johnfashionaccess[.]com") for command-and-control (C2) and enable keylogging, screenshot capture, remote desktop protocol (RDP) credential harvesting, and file exfiltration.

    Gamaredon has also exploited CVE-2025-8088, using it to deliver malicious Visual Basic Script malware and deploying a new wiper codenamed GamaWiper. This marks the first observed instance of Gamaredon conducting destructive operations rather than its traditional espionage activities.

    Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary fixes by December 30, 2025, to secure their networks. The threat actor identified as GOFFEE has extensively abused CVE-2025-8088, using it to deliver malicious Visual Basic Script malware and even deploying a new wiper codenamed GamaWiper.

    ClearSky stated that this marks the first observed instance of Gamaredon conducting destructive operations rather than its traditional espionage activities. This highlights the evolving nature of cyber threats and the need for organizations to stay vigilant in addressing emerging vulnerabilities.

    In light of active exploitation, it is essential for organizations to take immediate action to secure their networks. Applying the necessary fixes by December 30, 2025, will help prevent potential exploitation of CVE-2025-6218.

    This highly vulnerable WinRAR exploit serves as a reminder of the importance of staying up-to-date with the latest security patches and being aware of emerging vulnerabilities. As the threat landscape continues to evolve, it is crucial for organizations to remain proactive in addressing these concerns.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/A-Highly-Vulnerable-WinRAR-Exploit-Understanding-the-Threat-and-Its-Implications-ehn.shtml

  • https://thehackernews.com/2025/12/warning-winrar-vulnerability-cve-2025.html

  • https://cybersecuritynews.com/winrar-0-day-rce-vulnerability-exploited/

  • https://nvd.nist.gov/vuln/detail/CVE-2025-6218

  • https://www.cvedetails.com/cve/CVE-2025-6218/

  • https://nvd.nist.gov/vuln/detail/CVE-2025-8088

  • https://www.cvedetails.com/cve/CVE-2025-8088/

  • https://www.techrxiv.org/users/925297/articles/1302637-comparative-analysis-of-goffee-apt-operations-and-defensive-strategies

  • https://securelist.com/goffee-apt-new-attacks/116139/

  • https://www.eset.com/us/about/newsroom/research/eset-research-investigates-the-gamaredon-apt-group-cyberespionage-aimed-at-high-profile-targets-in-ukraine-and-nato-countries-1/

  • https://attack.mitre.org/groups/G0047/


    • Published: Wed Dec 10 06:23:57 2025 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us