WinRAR Directory Vulnerability Allows Arbitrary Code Execution via Malicious File

A critical security vulnerability has been discovered in RARLAB’s popular WinRAR archiving software that allows remote attackers to execute arbitrary code on affected systems through directory traversal exploitation.

The vulnerability, designated as CVE-2025-6218 with a CVSS score of 7.8, affects WinRAR installations and requires user interaction to be successfully exploited, typically through opening malicious archive files or visiting compromised web pages.

The vulnerability, identified as ZDI-25-409 and tracked under ZDI-CAN-27198, stems from improper handling of file paths within archive files processed by WinRAR.

Security researchers have determined that specially crafted file paths embedded within malicious archives can cause the application to traverse to unintended directories during extraction operations.

This directory traversal weakness creates a pathway for attackers to place malicious executable files in critical system locations, ultimately enabling code execution within the security context of the current user.

The attack vector requires social engineering components, as potential victims must be tricked into opening malicious archive files or visiting compromised websites hosting such files.

Once the malicious archive is processed by WinRAR, the crafted file paths exploit the directory traversal vulnerability to bypass intended extraction boundaries.

This mechanism allows attackers to write files to arbitrary locations on the target system, potentially overwriting critical system files or placing malware in startup directories.

WinRAR Directory Vulnerability

RARLAB responded promptly to the vulnerability disclosure, following a responsible disclosure process with key milestones:

• Initial Report: Security researcher whs3-detonator reported the vulnerability to RARLAB on June 5, 2025.
• Coordinated Release: Public advisory was released on June 19, 2025, providing immediate notification to users.
• Security Update: RARLAB issued a comprehensive security update to address the vulnerability.
• Official Documentation: Detailed information and download links are available through the vendor’s official website.
• User Guidance: The vendor’s advisory provides comprehensive guidance for system protection and emphasizes immediate updating.
• Timeline Significance: The relatively short 14-day timeframe between initial disclosure and public release reflects the serious nature of the vulnerability and potential for widespread exploitation.

Mitigations

The discovery of this directory traversal vulnerability highlights ongoing security challenges in file archiving software, particularly regarding the validation of file paths during extraction operations.

With a CVSS score of 7.8, classified as “High” severity, this vulnerability poses significant risks to organizations and individual users who regularly handle archive files from untrusted sources.

Security experts recommend immediate updating to the latest WinRAR version as the primary mitigation strategy.

Additionally, users should exercise caution when handling archive files from unknown sources, implementing additional security layers such as antivirus scanning and sandboxing environments for processing potentially suspicious files.

Organizations should prioritize this update in their patch management cycles, given WinRAR’s widespread deployment in enterprise environments.

The vulnerability serves as a reminder of the importance of input validation in file processing applications and the potential security risks associated with seemingly benign file operations like archive extraction.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.