Security researchers have recently raised a warning about the active exploitation of the CVE-2025-6218 WinRAR vulnerability. This path traversal bug has a CVSS score of 7.8. This represents an advanced stage of severity that requires urgent action. Because the vulnerability leads to arbitrary code execution, it has become a major risk for any organization that uses the WinRAR software.
Just a month into July 2025, we started experiencing the first signals of exploitation. Multiple threat actors, even the infamous groups GOFFEE, Bitter, and Gamaredon exploited this flaw for their own benefit. Reports indicate that these groups have targeted organizations in Russia using malicious RAR archives that contain benign documents and harmful macros designed to execute upon opening.
Details of the Exploit
CVE-2025-6218 allows an adversary to run arbitrary code within the context of the current user. According to the Cybersecurity and Infrastructure Security Agency (CISA), “RARLAB WinRAR contains a path traversal vulnerability allowing an attacker to execute code in the context of the current user.” This new capability is potentially catastrophic, as it opens the door to attackers to commandeer your systems without your knowledge.
The attacks typically involve a RAR archive titled “Provision of Information for Sectoral for AJK.rar,” which contains a seemingly innocuous Word document. Underneath all of this is a particularly insidious macro, which once executed can take even further steps to exploit.
“The malicious archive drops a file named Normal.dotm into Microsoft Word’s global template path,” – Foresiet
Normal.dotm is a global template, meaning it loads each time Microsoft Word is opened. By replacing this bona fide file, attackers make sure their malicious macro code runs automatically. This leads to a more permanent backdoor that’s able to bypass typical email macro blocking for documents opened after the initial compromise.
Threat Actor Insights
Of the other actors taking advantage of CVE-2025-6218, GOFFEE has been recognized for its organized and methodical strategy. This threat actor is infamously credited with weaponizing the second path traversal vulnerability – CVE-2025-8088. Analysts believe that GOFFEE’s activities go beyond opportunism. They think that these pranks are part of a deeper strategy that’s probably being planned by Russian state intelligence.
Our adversaries, including Bitter APT, have weaponized this vulnerability quite effectively. The group employs CVE-2025-6218 in order to achieve persistence on compromised hosts by dropping a C# trojan through a lightweight downloader. These tactics are a reminder of the sophistication of current cyber threats and the need for urgency.
“It is a structured, military-oriented espionage and sabotage operation consistent with, and likely coordinated by, Russian state intelligence.” – Robin
Immediate Actions Required
In view of these events, it is crucial for organizations to act proactively to protect against CVE-2025-6218. FCEB agencies have until December 30, 2025 to adopt these fixes to the vulnerability. We urge organizations to proactively test their systems for exposure, take appropriate steps to update them as soon as possible.
The need for action on CVE-2025-6218 is critically important. Several threat actors are already in the wild actively targeting this vulnerability. In order to safeguard Americans’ sensitive information and our critical infrastructure, we must continue to prioritize strong cybersecurity measures.