Full Report
WinRAR has addressed a directory traversal vulnerability tracked as CVE-2025-6218 that, under certain circumstances, allows malware to be executed after extracting a malicious archive. [...]
Analysis Summary
# Vulnerability: WinRAR Archive Extraction Flaw Leading to Malware Launch/HTML Injection
## CVE Details
- CVE ID: CVE-2025-6218
- CVSS Score: Information not explicitly provided, but context suggests **High** severity due to potential malware launch upon archive extraction.
- CWE: Not explicitly provided in the text (Likely related to Improper Neutralization of Special Elements used in an HTML, related to the secondary HTML injection issue).
## Affected Systems
- Products: WinRAR
- Versions: Versions prior to WinRAR 7.12 beta 1.
- Configurations: Affects all users of older WinRAR versions, regardless of platform (though CVE-2025-6218 specifically does not impact Unix, Android, or portable UnRAR source code).
## Vulnerability Description
CVE-2025-6218 is a vulnerability where malicious content can be launched simply by opening a specially crafted archive file extracted by WinRAR. This allows attackers to execute malware post-extraction. Additionally, WinRAR 7.12 beta 1 also addresses an HTML injection issue in report generation. If archived file names contained special characters, they could be injected into the HTML report as raw HTML tags, potentially leading to HTML/JS injection if the report is subsequently opened in a web browser. Minor issues concerning incomplete testing of recovery volumes and timestamp precision loss for Unix records were also fixed.
## Exploitation
- Status: No reports of active exploitation **currently**, but the risk is considered **very high** due to widespread use and distribution vectors for malicious archives.
- Complexity: **Low** to **Medium** (Requires user interaction: opening a malicious archive or visiting a page displaying a malicious report).
- Attack Vector: Primarily **Network** (via receiving the archive) or **Local** (via opening the report/archive).
## Impact
- Confidentiality: High (Due to potential malware execution allowing for data exfiltration or lateral movement).
- Integrity: High (Due to potential malware execution).
- Availability: High (Due to potential malware execution resulting in system unavailability).
## Remediation
### Patches
- Upgrade immediately to **WinRAR 7.12 beta 1** or later.
### Workarounds
- No specific workarounds were detailed, but the general advice strongly implies that users outside the scope of the main flaw (Unix, Android, portable source code) should still upgrade because of the associated HTML injection fix. The core mitigation relies on applying the patch.
## Detection
- Indicators of Compromise: Execution of unexpected binaries following the extraction of an untrusted archive. Malicious JavaScript execution when viewing WinRAR-generated HTML reports.
- Detection methods and tools: Standard endpoint detection and response (EDR) tools should monitor for suspicious process creation originating from file unpacking operations, especially when user interaction has just occurred via archive opening.
## References
- Vendor Advisory: WinRAR 7.12 beta 1 release notes (implied by the article content).
- Relevant links:
- bleepingcomputer com/news/security/winrar-patches-bug-letting-malware-launch-from-extracted-archives/