Hackers Found a Way to Turn Every ZIP File into a Bomb — Thanks to WinRAR
Update your WinRAR as soon as possible!
WinRAR has fixed a serious vulnerability that could allow malware to execute immediately after extracting an infected archive. The issue is identified as CVE-2025-6218 and has been rated 7.8 on the CVSS scale, indicating a high-level threat.
This vulnerability was discovered by a specialist named whs3-detonator and officially registered through the Zero Day Initiative platform on June 5, 2025. The bug affects only Windows versions of WinRAR, starting from version 7.11 and earlier. A fix is already available — it is included in WinRAR version 7.12 beta 1, which was released recently.
As explained in the update description, earlier versions of WinRAR, Windows RAR, UnRAR, as well as the portable UnRAR and UnRAR.dll library, could be tricked when extracting a specially crafted archive. The malicious archive could contain files with fake relative paths, causing the files to be silently extracted not where the user intended, but in system directories or Windows' startup folders.
If such files are malicious, they could activate automatically when the user logs in. While these programs run with user rights rather than administrator or system rights, that’s still enough to steal sensitive data such as saved passwords and browser cookies, as well as to install hidden access mechanisms or facilitate further movement within the network.
The risk of CVE-2025-6218 is somewhat limited by the fact that exploiting the vulnerability requires user involvement — the user must open the malicious archive or click on a specially crafted link. However, given WinRAR's widespread use and the variety of methods for delivering infected archives, the real threat remains high.
Along with fixing CVE-2025-6218, the new version of WinRAR also addresses another issue — HTML code injection in report generation. This vulnerability was discovered by specialist Marcin Bobryk. It allowed arbitrary HTML or JavaScript to be injected into the final report if the file name inside the archive contained special characters like "<" or ">". When opening such a report in a browser, unauthorized code injection could occur.
Additionally, the update resolves two less significant bugs — incomplete recovery volume checks and the loss of timestamp accuracy for Unix files.
Although CVE-2025-6218 does not affect Unix, Android, or portable UnRAR versions, the developers recommend that all users, regardless of platform, update their software to the latest version as soon as possible.
Currently, there are no reports of active exploitation of CVE-2025-6218. However, given WinRAR's global prevalence and hackers' long-standing interest in this software, experts strongly advise not delaying the update.
