WinRAR Directory Traversal & NTFS ADS Vulnerabilities (CVE-2025-6218 & CVE-2025-8088)

Aug. 25, 2025, 8:08 p.m.

Description

Two high-severity vulnerabilities in WinRAR for Windows enable attackers to write files outside intended extraction directories. CVE-2025-6218 involves traditional path traversal, while CVE-2025-8088 extends the attack using NTFS Alternate Data Streams. Both flaws allow for reliable persistence and remote code execution in enterprise environments. Threat actors RomCom and Paper Werewolf have exploited CVE-2025-8088 in active campaigns. The vulnerabilities affect WinRAR versions 7.11 and earlier, with fixes available in versions 7.12 Beta 1 and 7.13. Exploitation requires minimal user interaction and can lead to stealthy persistence by dropping files into autorun locations or hiding payloads in ADS. Immediate patching and proactive hunting for ADS and Startup modifications are essential for defense.

External References

https://www.seqrite.com/blog/winrar-directory-traversal-ntfs-ads-vulnerabilities-cve-2025-6218-cve-2025-8088/
https://otx.alienvault.com/pulse/68aca47585bdf707090e4290
Tags
zero-day
remote code execution
winrar
CVE-2025-8088
CVE-2025-6218
2025-08-25

Date

  • Created: Aug. 25, 2025, 5:59 p.m.
  • Published: Aug. 25, 2025, 5:59 p.m.
  • Modified: Aug. 25, 2025, 8:08 p.m.

Indicators

  • a25d011e2d8e9288de74d78aba4c9412a0ad8b321253ef1122451d2a3d176efa
  • 8082956ace8b016ae8ce16e4a777fe347c7f80f8a576a6f935f9d636a30204e7
  • 4da20b8b16f006a6a745032165be68c42efef9709c8e133e39d4b6951cca5179
  • 49023b86fde4430faf22b9c39e921541e20224c47fa46ff473f880d5ae5bc1f1
Download all indicators here!

Attack Patterns

  • Romcom.49869.SL
  • RomCom, Paper Werewolf

Additional Informations

  • Aerospace
  • Defense
  • Russian Federation

Linked vulnerabilities

CVE-2025-6218

None
Published:

CVE-2025-8088

None
Published: