Potential affected sectors

·         Government Organizations

·         Military and Defense

o   Military organizations

o   Defense contractors

o   Aerospace companies.

·         Financial Services

o   Banks

o   Fintech companies

o   General financial institutions.

·         Manufacturing and Industrial

·         Logistics and Transportation

o   Logistics and transportation firms in Europe and Canada were specifically targeted in observed campaigns.

·         Energy

Potential affected countries

·         Global

BLUF

A path traversal vulnerability in WinRAR can allow an attacker to execute code in the context of the current user by tricking them into opening a malicious file or visiting a malicious page.

Date of first reported activity

·         Active exploitation was confirmed by December 10, 2025.

Date of last reported activity update

·         December 10, 2025

CVE-2025-6218

CVSS v3.1

·         (7.8) AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

o   Scored by Zero Day Intitative

Nessus ID

·         242073

Is this on the KEV list

·         Yes, added on December 9, 2025.

Patch by date on the KEV list

·         December 30, 2025.

Patching/mitigation data

URL Link to Patch

·         hxxps://www.rarlab.com/download.htm

Suspected APT names

Gamaredon aka Shuckworm or UAC-0010

RomCom aka UNC4168

Paper Werewolf

APT-C-08 aka Bitter

IOCs

Behavioral and File System Indicators

The primary indicator of the path traversal is the presence of unexpected files in critical directories where they were not intended to be extracted.

·         Malicious Archive Structure: Archive files (.rar, .zip) containing crafted file paths that use directory traversal sequences (e.g., ..\..\..\) to escape the intended extraction folder.

·         Payload Dropping Locations: The exploit is designed to drop malicious files into sensitive system directories to ensure persistence and execution:

o   Windows Startup Folder: Malicious executables (like winsc.exe or xpsrchvw74.exe) or malicious shortcut (.lnk) files found in the user's Startup directory.

o   Microsoft Word Templates Folder: The malicious modification or replacement of the Normal.dotm global template file, which executes macros every time Word is opened.

·         Process Monitoring Unusual process activity where WinRAR.exe or related extraction processes spawn suspicious child processes, especially those attempting network connections or writing to sensitive locations.

Associated Malware detections

Bat.Trojan.49857.GC

Lnk.Trojan.49856.GC

Trojan.Ghanarava.1754899322556336

Malware Samples

Bat.Trojan.49857.GC

sha256

49023b86fde4430faf22b9c39e921541e20224c47fa46ff473f880d5ae5bc1f1

URL link to sample

hxxps://www.virustotal.com/gui/file/49023b86fde4430faf22b9c39e921541e20224c47fa46ff473f880d5ae5bc1f1

Lnk.Trojan.49856.GC

sha256

a25d011e2d8e9288de74d78aba4c9412a0ad8b321253ef1122451d2a3d176efa

4da20b8b16f006a6a745032165be68c42efef9709c8e133e39d4b6951cca5179

URL link to sample

hxxps://www.virustotal.com/gui/file/a25d011e2d8e9288de74d78aba4c9412a0ad8b321253ef1122451d2a3d176efa

hxxps://www.virustotal.com/gui/file/4da20b8b16f006a6a745032165be68c42efef9709c8e133e39d4b6951cca5179

Trojan.Ghanarava.1754899322556336

sha256

8082956ace8b016ae8ce16e4a777fe347c7f80f8a576a6f935f9d636a30204e7

URL link to sample

hxxps://www.virustotal.com/gui/file/8082956ace8b016ae8ce16e4a777fe347c7f80f8a576a6f935f9d636a30204e7

TTPs

·         T1204.002: User Execution (Malicious File) - Requires user interaction, such as opening a malicious archive file.

·         T1078: Valid Accounts (for potential privilege escalation once initial access is gained).

Suggested rules / potential hunts

Potential Suricata rules: Generic file-based rules might be available from security vendors but are not specified here.

Potential Sentinel rules: Not specified.

Potential Splunk hunts: Not specified.

Delivery method

·         Malicious files delivered via email, messaging, or links to malicious websites.

Email samples

·         Based on phase of attack this is not applicable at this time

References

NVD

·         hxxps://nvd.nist.gov/vuln/detail/CVE-2025-6218

CISA

·         hxxps://www.cisa.gov/known-exploited-vulnerabilities-catalog

·         https://www.cisa.gov/news-events/alerts/2025/08/12/cisa-adds-three-known-exploited-vulnerabilities-catalog

GitHub

·         hxxps://github.com/absholi7ly/CVE-2025-6218-WinRAR-Directory-Traversal-RCE

WIZ IO

·         hxxps://www.wiz.io/vulnerability-database/cve/cve-2025-6218

WINRar

·         hxxps://www.rarlab.com/download.htm

Red Hat Customer Portal

·         hxxps://access.redhat.com/security/cve/cve-2025-6218

VirusTotal

·         hxxps://www.virustotal.com/gui/file/49023b86fde4430faf22b9c39e921541e20224c47fa46ff473f880d5ae5bc1f1

·         hxxps://www.virustotal.com/gui/file/a25d011e2d8e9288de74d78aba4c9412a0ad8b321253ef1122451d2a3d176efa

·         hxxps://www.virustotal.com/gui/file/4da20b8b16f006a6a745032165be68c42efef9709c8e133e39d4b6951cca5179

·         hxxps://www.virustotal.com/gui/file/8082956ace8b016ae8ce16e4a777fe347c7f80f8a576a6f935f9d636a30204e7

Tenable

·         hxxps://www.tenable.com/plugins/nessus/242073