The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added a critical security flaw afflicting the popular WinRAR file compression utility to its Known Exploited Vulnerabilities (KEV) catalog. This WinRAR vulnerability, designated as CVE-2025-6218, is being actively exploited by threat actors, prompting urgent calls for immediate patching.
The path traversal vulnerability carries a CVSS score of 7.8, indicating a high severity level. While requiring user interaction through a malicious link or file to succeed, its successful exploitation allows attackers to execute code within the context of the current user. CISA’s inclusion of CVE-2025-6218 in its KEV catalog signifies that the agency has credible evidence of its widespread use in real-world attacks.
Active Exploitation Fuels WinRAR Security Alert
The WinRAR vulnerability, CVE-2025-6218, was patched by its developer, RARLAB, in WinRAR version 7.12, released in June 2025. The flaw specifically impacts Windows-based versions of the software; other platforms like Unix and Android are unaffected. At the time of its release, RARLAB highlighted that the vulnerability could be abused to place files in sensitive system locations, such as the Windows Startup folder, potentially leading to arbitrary code execution upon the next system login.
Multiple cybersecurity firms, including BI.ZONE, Foresiet, SecPod, and Synaptic Security, have reported on threat actors leveraging this flaw. Two distinct groups, GOFFEE (also known as Paper Werewolf) and Bitter (also known as APT-C-08 or Manlinghua), have been identified as using CVE-2025-6218. Additionally, the threat group Gamaredon has also been observed exploiting this vulnerability.
Multiple APTs Weaponize WinRAR Flaw
One of the most significant threats identified involves the South Asia-focused Bitter APT. This group has reportedly weaponized the vulnerability to establish persistence on compromised systems and deploy a C# trojan using a lightweight downloader. Their attack methodology involves distributing a RAR archive that contains a seemingly innocuous Word document alongside a malicious macro template.
According to analysis from Foresiet, this malicious archive drops a file named Normal.dotm into Microsoft Word’s global template path. As this is a global template that loads every time Word is opened, by replacing the legitimate file, attackers ensure their malicious macro code executes automatically. This provides a persistent backdoor that can bypass standard email macro blocking for documents received after the initial compromise.
The C# trojan deployed by Bitter is designed to communicate with an external command-and-control (C2) server for instructions and to enable malicious activities. These activities include keylogging, screen capture, harvesting of Remote Desktop Protocol (RDP) credentials, and data exfiltration. Spear-phishing attacks are believed to be the primary vector for distributing these malicious RAR archives.
Meanwhile, the Russian hacking group Gamaredon has also exploited CVE-2025-6218. This group has targeted Ukrainian military, governmental, political, and administrative entities through phishing campaigns. Their objective is to infect these organizations with a malware known as Pteranodon. Activity related to this campaign was first observed in November 2025, and security researchers have characterized it as a structured, military-oriented espionage and sabotage operation, likely coordinated by Russian state intelligence.
Gamaredon’s operations have not been limited to this single vulnerability. The group has also made extensive use of CVE-2025-8088, another path traversal flaw in WinRAR, to deliver malicious Visual Basic Script malware. In a notable escalation, they have also deployed a new wiper malware codenamed GamaWiper. This marks a shift in Gamaredon’s tactics, moving from traditional espionage to destructive operations, according to a November 30, 2025, post by ClearSky.
In response to the active exploitation of this cybersecurity threat, CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies implement the necessary security patches by December 30, 2025. This deadline underscores the urgency required to secure federal networks against this known and exploited malware threat.