CVE-2025-6218 is a path traversal vulnerability classified under CWE-22 affecting RARLAB WinRAR version 7.11 (64-bit). The vulnerability stems from improper handling of file paths within archive files, where crafted file paths can cause the extraction process to traverse directories outside the intended extraction folder. This allows an attacker to place malicious files in arbitrary locations on the victim’s system. When a user opens a maliciously crafted archive or visits a malicious webpage that triggers archive extraction, the attacker can execute arbitrary code with the privileges of the current user. The vulnerability requires user interaction but does not require prior authentication, increasing its risk. The CVSS v3.0 base score is 7.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and no privileges required. Although no exploits are currently known in the wild, the vulnerability poses a significant risk due to the widespread use of WinRAR globally. The flaw was reported by ZDI under identifier ZDI-CAN-27198 and publicly disclosed on June 21, 2025. No official patches have been linked yet, so users must rely on mitigations or updates once available.

The vulnerability enables attackers to execute arbitrary code remotely with the privileges of the user opening the malicious archive, potentially leading to full system compromise. This can result in unauthorized data access, data modification, installation of persistent malware, or disruption of system availability. Since WinRAR is widely used for file compression and decompression, many organizations and individuals are at risk, especially those who frequently handle archives from untrusted sources. The requirement for user interaction limits automated exploitation but does not eliminate risk, as social engineering can induce users to open malicious files. The impact is severe in environments where users have elevated privileges or where sensitive data is processed. Additionally, exploitation could facilitate lateral movement within networks if attackers gain footholds on endpoint systems.

Organizations should immediately update WinRAR to the latest version once a patch addressing CVE-2025-6218 is released by RARLAB. Until then, users should avoid opening archives from untrusted or unknown sources. Implement application whitelisting to restrict execution of unauthorized binaries that could be dropped by malicious archives. Employ endpoint detection and response (EDR) solutions to monitor for suspicious file system activity indicative of path traversal exploitation. Educate users on the risks of opening unsolicited archive files and visiting untrusted websites. Network-level controls such as web filtering and email gateway scanning can help block malicious archives before reaching end users. Consider running WinRAR with least privilege and in sandboxed environments where possible to limit impact of exploitation. Regularly audit and monitor file system changes to detect anomalous file placements.