CVE-2025-6218

HIGH KEV

WinRAR < 7.12 - Remote Code Execution via Path Traversal in Archive File Handling

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-6218 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added December 9, 2025. EIP tracks 6 public exploits from researchers including skimask1690, speinador, absholi7ly.

AI-analyzed exploit summary This PoC demonstrates a vulnerability in WinRAR (CVE-2025-6218) where a crafted ZIP archive can place a batch file in the Windows Startup folder, leading to arbitrary code execution upon user login. The exploit leverages WinRAR's handling of archive extraction paths.

Description

RARLAB WinRAR Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of RARLAB WinRAR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of file paths within archive files. A crafted file path can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27198.

Exploits (6)

nomisec WORKING POC 30 stars
by skimask1690 · client-side
https://github.com/skimask1690/CVE-2025-6218-POC

This PoC demonstrates a vulnerability in WinRAR (CVE-2025-6218) where a crafted ZIP archive can place a batch file in the Windows Startup folder, leading to arbitrary code execution upon user login. The exploit leverages WinRAR's handling of archive extraction paths.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: WinRAR 7.11 and earlier
No auth needed
Prerequisites: WinRAR installed in default location · User interaction to extract the archive
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP 17 stars
by speinador · client-side
https://github.com/speinador/CVE-2025-6218_WinRAR

This repository provides a detailed writeup and demonstration of CVE-2025-6218, a path traversal vulnerability in WinRAR versions 7.11 and earlier. It includes instructions for setting up a vulnerable environment and observing how a malicious RAR file can overwrite files outside the extraction directory using relative paths.

Classification
Writeup 100%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: WinRAR 7.11 and earlier
No auth needed
Prerequisites: WinRAR 7.11 or earlier installed on a Windows system · A target file to overwrite · A malicious RAR file with path traversal sequences
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 14 stars
by absholi7ly · client-side
https://github.com/absholi7ly/CVE-2025-6218-WinRAR-Directory-Traversal-RCE

This repository provides a detailed proof-of-concept for CVE-2025-6218, a directory traversal vulnerability in WinRAR versions ≤ 7.11. It includes step-by-step instructions to exploit the flaw, allowing an attacker to place malicious files in sensitive locations like the Windows Startup folder, potentially leading to remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WinRAR versions ≤ 7.11
No auth needed
Prerequisites: WinRAR version ≤ 7.11 installed on target system · User interaction to extract the malicious archive
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 11 stars
by ignis-sec · client-side
https://github.com/ignis-sec/CVE-2025-6218

This repository contains a proof-of-concept exploit for CVE-2025-6218, a WinRAR path traversal vulnerability that can lead to remote code execution. The PoC demonstrates how crafted file paths in RAR archives can bypass sanitization checks to achieve arbitrary file writes.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WinRAR versions up to 7.11
No auth needed
Prerequisites: Victim must open a malicious RAR archive
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 10 stars
by mulwareX · client-side
https://github.com/mulwareX/CVE-2025-6218-POC

This repository contains a Python script that generates a malicious ZIP archive exploiting a directory traversal vulnerability in WinRAR (CVE-2025-6218). The script crafts file paths to extract a payload into the Windows Startup folder, achieving remote code execution upon extraction.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WinRAR (versions prior to patch)
No auth needed
Prerequisites: Victim must extract the malicious ZIP file · Payload must be compatible with Windows environment
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 3 stars
by Chrxstxqn · client-side
https://github.com/Chrxstxqn/CVE-2025-6218-WinRAR-RCE-POC

This repository contains a proof-of-concept exploit for CVE-2025-6218, a critical path traversal vulnerability in WinRAR that allows arbitrary code execution. The exploit leverages malformed RAR archives to write files to arbitrary locations, such as the Startup folder, enabling persistence and remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WinRAR ≤ 7.11
No auth needed
Prerequisites: Victim must extract the malicious RAR archive using a vulnerable version of WinRAR
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Scores

CVSS v3 7.8
EPSS 0.0569
EPSS Percentile 90.6%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2025-12-09
VulnCheck KEV 2025-08-08
ENISA EUVD EUVD-2025-28706
CWE
CWE-22
Status published
Products (1)
rarlab/winrar < 7.12
Published Jun 21, 2025
KEV Added Dec 09, 2025
Tracked Since Feb 18, 2026