WinRAR Vulnerability CVE-2025-6218 Added to CISA KEV After Active Exploitation by Multiple Threat Groups
CISA has added the WinRAR vulnerability CVE-2025-6218 to its Known Exploited Vulnerabilities (KEV) catalog following confirmed, widespread exploitation by several threat actors, including GOFFEE, Bitter APT and Gamaredon.
The flaw is a path traversal vulnerability in the Windows version of WinRAR that enables arbitrary code execution when a user opens a malicious archive or visits a malicious page.
RARLAB patched the issue in WinRAR 7.12 (June 2025), but millions of systems remain exposed.
What attackers can do
The vulnerability allows adversaries to:
write files into sensitive folders (e.g., Windows Startup)
achieve automatic execution on next login
replace trusted files, such as global Office templates, enabling persistence
Threat Actors Actively Exploiting the Flaw
1) GOFFEE (Paper Werewolf)
Combines CVE-2025-6218 + CVE-2025-8088 in phishing campaigns targeting government and enterprise organizations.
2) Bitter APT (APT-C-08)
Uses malicious RAR archives delivering a trojan via a compromised Normal.dotm template, guaranteeing execution with each Word launch.
Capabilities: keylogging, screenshots, RDP credential harvesting, C2 communication.
3) Gamaredon
Targets Ukrainian entities with Pteranodon malware and GamaWiper, marking the group’s first documented destructive operation, according to ClearSky.
Campaign observed in November 2025.
DIAMATIX Perspective
This incident underscores the need for:
rapid patching of client-side software;
full visibility into archive extraction behaviors and file writes;
24/7 MDR monitoring for persistence artifacts and post-exploitation activity.
Shield SIEM/XDR + MDR 360° enhance detection of:
suspicious template modifications (Normal.dotm);
unexpected file creation in startup directories;
malicious script execution paths;
privilege escalation patterns following archive interaction.
When multiple APT groups exploit the same vulnerability, it becomes a strategic priority for all organizations to patch and monitor aggressively.
Sources
CISA KEV
TheHackerNews
BI.ZONE Threat Intelligence
Foresiet Research
ClearSky Cybersecurity
MITRE CVE Database
