WinRAR Directory Vulnerability Allows Execution of Arbitrary Code via Malicious File

A severe directory traversal vulnerability (CVE-2025-6218) in RARLAB’s WinRAR software enables remote code execution (RCE) by exploiting archive extraction processes.

Rated CVSS 7.8 (High), this flaw affects Windows versions of WinRAR, RAR, UnRAR, UnRAR.dll, and portable UnRAR source code, while Unix and Android versions remain unaffected.

Attackers can compromise systems by tricking users into opening malicious archives containing crafted file paths with directory traversal sequences (e.g., ../).

Successful exploitation allows arbitrary code execution in the victim’s security context, risking complete system compromise.

Technical Mechanism of Exploitation

The vulnerability stems from inadequate sanitization of file paths during archive extraction.

When processing a maliciously crafted archive, WinRAR fails to validate path names, permitting directory traversal beyond the intended extraction directory.

This allows attackers to:

• Write files to critical system locations (e.g., Windows startup folders)
• Deploy executables that trigger upon system reboot or user login
• Execute payloads with the victim’s privileges without requiring elevated rights

Exploitation requires user interaction, typically achieved through phishing emails, malicious websites, or disguised archive downloads.

The attack vector is local (AV:L), but remote attackers leverage the internet to deliver malicious archives.

Mitigation and Vendor Response

RARLAB addressed the vulnerability in WinRAR version 7.12 Beta 1 released on June 10, 2025. Users must immediately update to this version to prevent exploitation.

Key mitigation strategies include:

• Patch deployment: Enterprises should prioritize updating all WinRAR installations
• User vigilance: Avoid opening archives from untrusted sources
• Network controls: Block suspicious archive files at email/web gateways

The flaw was discovered by researcher “whs3-detonator” and reported through Trend Micro’s Zero Day Initiative (ZDI) on June 5, 2025.

Coordinated public disclosure occurred on June 19, 2025.

Ongoing Risk Landscape

Despite the patch availability, unpatched systems remain vulnerable to low-complexity attacks requiring minimal user interaction.

Security analysts note that:

• No known active exploits currently exist, but weaponization is anticipated
• Malicious actors frequently target compression software due to widespread enterprise use
• Supply chain attacks could leverage this vulnerability to compromise software distribution channels

Organizations should conduct vulnerability scans for WinRAR versions 7.00 beta 1 through 7.10 and enforce update policies.

Cybersecurity authorities recommend treating this vulnerability as high-priority due to its RCE potential and attack simplicity.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates

The post WinRAR Directory Vulnerability Allows Execution of Arbitrary Code via Malicious File appeared first on Cyber Security News.