Two high-severity vulnerabilities in WinRAR for Windows enable attackers to write files outside intended extraction directories. CVE-2025-6218 involves traditional path traversal, while CVE-2025-8088 extends the attack using NTFS Alternate Data Streams. Both flaws allow for reliable persistence and remote code execution in enterprise environments. Threat actors RomCom and Paper Werewolf have exploited CVE-2025-8088 in active campaigns. The vulnerabilities affect WinRAR versions 7.11 and earlier, with fixes available in versions 7.12 Beta 1 and 7.13. Exploitation requires minimal user interaction and can lead to stealthy persistence by dropping files into autorun locations or hiding payloads in ADS. Immediate patching and proactive hunting for ADS and Startup modifications are essential for defense. Author: AlienVault
Related Tags:
cve-2025-6218
Romcom.49869.SL
T1564.004
remote code execution
Zero-Day
T1547.001
Russian Federation
Aerospace
T1204
Associated Indicators:
49023B86FDE4430FAF22B9C39E921541E20224C47FA46FF473F880D5AE5BC1F1
A4AAD0E2AC1EE0C8DD25968FA4631805689757B6
9A9E74B14BBD569629C09CD48F0F1874