WinRAR Vulnerability Exploited with Malicious Archives to Execute Code
A newly disclosed vulnerability in RARLAB’s WinRAR, the widely used file compression utility for Windows, has put millions of users at risk of remote code execution (RCE) attacks.
Tracked as CVE-2025-6218 and assigned a CVSS score of 7.8 (High), this flaw allows attackers to execute arbitrary code simply by convincing a victim to open a specially crafted archive file.
How the Vulnerability Works
The vulnerability stems from how WinRAR processes file paths within archive files. Specifically, insufficient validation during extraction allows attackers to embed directory traversal sequences (such as ../) in archive entries.
When a user extracts such a malicious archive, WinRAR may place files in unintended system directories, such as the Windows startup folder or other sensitive locations.
If an attacker successfully writes a file to a critical directory, they can trigger code execution the next time the user logs in or restarts their system.
The attack requires user interaction—victims must open a malicious archive, often delivered via phishing emails, malvertising, or compromised websites.
Scope and Impact
- Affected Software: All Windows versions of WinRAR, including RAR, UnRAR, UnRAR.dll, and the portable UnRAR source code, are vulnerable. Unix versions and RAR for Android are not affected1.
- Attack Vector: Local (requires user to open a malicious file)
- Privileges Required: None (executes in the context of the current user)
- Potential Impact: Full compromise of confidentiality, integrity, and availability of the affected system.
The vulnerability was discovered by security researcher whs3-detonator and reported to RARLAB on June 5, 2025.
A coordinated public advisory was released on June 19, 2025, and RARLAB responded promptly by releasing WinRAR version 7.12 Beta 1, which addresses the issue. Users are strongly urged to update to the latest version to mitigate the risk.
| Attribute | Details |
| Vulnerability Name | WinRAR Directory Traversal Remote Code Execution |
| CVE ID | CVE-2025-6218 |
| CVSS Score | 7.8 (High) |
| Affected Products | WinRAR for Windows (RAR, UnRAR, UnRAR.dll, portable UnRAR source code) |
Users should immediately update to the latest version of WinRAR (7.12 Beta 1 or later) to protect against this and other potential vulnerabilities.
Avoid opening archive files from unknown or untrusted sources, and remain vigilant against phishing attempts leveraging malicious archives.
The rapid response from RARLAB highlights the importance of timely patching and user awareness in defending against evolving cyber threats.