WinRAR Directory Traversal & NTFS ADS Vulnerabilities (CVE-2025-6218 & CVE-2025-8088)

SUMMARY :

Two high-severity vulnerabilities in WinRAR for Windows enable attackers to write files outside intended extraction directories. CVE-2025-6218 involves traditional path traversal, while CVE-2025-8088 extends the attack using NTFS Alternate Data Streams. Both flaws allow for reliable persistence and remote code execution in enterprise environments. Threat actors RomCom and Paper Werewolf have exploited CVE-2025-8088 in active campaigns. The vulnerabilities affect WinRAR versions 7.11 and earlier, with fixes available in versions 7.12 Beta 1 and 7.13. Exploitation requires minimal user interaction and can lead to stealthy persistence by dropping files into autorun locations or hiding payloads in ADS. Immediate patching and proactive hunting for ADS and Startup modifications are essential for defense.

OPENCTI LABELS :

remote code execution,zero-day,winrar,cve-2025-8088,cve-2025-6218


AI COMMENTARY :

1. Introduction to WinRAR Directory Traversal & NTFS ADS Vulnerabilities The WinRAR archive utility for Windows has been discovered to contain two high-severity zero-day vulnerabilities tracked as CVE-2025-6218 and CVE-2025-8088. These flaws enable a malicious actor to bypass intended extraction paths and write files to arbitrary locations on the target system. While the first vulnerability leverages classic directory traversal techniques, the second exploits NTFS Alternate Data Streams to achieve stealthy persistence and potential remote code execution in enterprise environments.

2. Technical Analysis of CVE-2025-6218 Traditional Path Traversal CVE-2025-6218 arises when WinRAR fails to normalize archive entries containing crafted ../ sequences. By embedding relative path segments in file names, an attacker can coerce the extraction process into depositing executable or configuration files outside the target directory. This flaw requires minimal user interaction beyond opening a specially prepared archive and can be automated to deliver malicious binaries directly into autorun locations or system folders, enabling reliable persistence across reboots.

3. Technical Analysis of CVE-2025-8088 NTFS Alternate Data Streams Abuse CVE-2025-8088 builds upon the directory traversal concept by targeting NTFS Alternate Data Streams. An adversary crafts files with ADS syntax in the archive entries, causing WinRAR to create hidden streams attached to innocuous host files. This method conceals payloads from common file listings and antivirus scanners, facilitating stealthy code execution when the host file is accessed. The exploitation of ADS demands awareness of underlying file system mechanics and grants attackers the ability to hide backdoors in plain sight.

4. Threat Actors and Active Exploitation Security researchers have observed two threat groups, RomCom and Paper Werewolf, actively exploiting CVE-2025-8088 in targeted campaigns. Both actors use social engineering lures to trick victims into extracting malicious archives. RomCom focuses on financial institutions, planting ADS-based dropper files in startup folders, while Paper Werewolf targets government and critical infrastructure networks, leveraging remote code execution to deploy additional tooling for lateral movement and data theft.

5. Impact on Enterprise Environments and Remote Code Execution Risks The combination of directory traversal and ADS abuse poses a significant risk to organizations seeking to maintain secure software supply chains. Successful exploitation can result in the silent deployment of remote code execution payloads, enabling adversaries to gain initial footholds, escalate privileges, and establish long-term persistence. The minimal user interaction required and the stealth afforded by ADS make detection and remediation challenging for standard endpoint protection solutions.

6. Recommended Mitigations and Proactive Hunting Administrators must upgrade WinRAR to version 7.12 Beta 1 or later, with full fixes in version 7.13, to eliminate both vulnerabilities. Security teams should proactively hunt for unexpected ADS on critical systems by querying NTFS streams and inspecting startup folder modifications. Implementing application control policies to restrict WinRAR execution and monitoring archive extraction processes can further reduce exploitation risk. Regular endpoint scans for unauthorized dropper files and reviewing system integrity baselines will enhance detection capabilities.

7. Conclusion and Call to Action The discovery of CVE-2025-6218 and CVE-2025-8088 underscores the persistent threat posed by archive utility vulnerabilities and zero-day exploits. Enterprises must act swiftly to apply patches, strengthen detection strategies, and educate users about the dangers of handling untrusted archives. By combining timely updates with continuous monitoring for ADS and startup anomalies, organizations can mitigate the risk of remote code execution and maintain robust security postures in the face of evolving threat actor tactics.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


WinRAR Directory Traversal & NTFS ADS Vulnerabilities (CVE-2025-6218 & CVE-2025-8088)