WinRAR: Code smuggling vulnerability is being attacked
This summer, a WinRAR update closed a security vulnerability that allowed code smuggling. It is now being attacked.
(Image: heise online / dmk)
A security vulnerability in the WinRAR compression program, present until version 7.12 Beta 1, allows attackers to inject malicious code. Attacks exploiting this vulnerability have now been observed. Users of WinRAR should therefore update to a newer version promptly.
The US cybersecurity agency CISA added the WinRAR vulnerability to its catalog of Known Exploited Vulnerabilities on Wednesday night, a collection of known attacked security flaws. The vulnerability became known towards the end of June this year, when WinRAR closed it in version 7.12b1.
Vulnerability allows injection of malicious code
WinRAR described the security vulnerability: "When extracting files, WinRAR, RAR, UnRAR, portable UnRAR, and UnRAR.dll can be made to use a path specified in a manipulated archive instead of a user-specified path." The Zero-Day Initiative (ZDI) from Trend Micro, however, clarified: "The specific flaw lies in how paths within archive files are handled. A crafted file path can cause the process to traverse into unintended directories. Attackers can exploit this to execute malicious code in the context of the current user" (CVE-2025-6218, CVSS 7.8, Risk "high").
Videos by heise
Neither Rarlabs nor ZDI specify which file types are affected. However, attackers can apparently exploit this with manipulated files – and are doing so. CISA does not reveal what the attacks look like or their extent. Therefore, there are no indications on how to find out if you are affected. In any case, updating to a newer version of the compression program for Windows provides a solution.
On the WinRAR download page, the current stable version available for download is WinRAR 7.13. Users of WinRAR should use at least version 7.12b1, or preferably the current stable version.
(dmk)
