WinRAR Archive Extraction Path Traversal (CVE-2025-6218)
by skimask1690 · 2026-05-15
- Severity
- High
- CVE
- CVE-2025-6218
- Category
- misc
- Affected product
- WinRAR archive extraction workflow
- Affected versions
- WinRAR 7.11 and earlier
- Disclosed
- 2026-05-15
- Patch status
- unpatched
References
Archive entry
intelseclab/poc-archiveMetadata
| Field | Value |
|---|---|
| Date Added | 2026-05-15 |
| Author / Researcher | skimask1690 |
| CVE / Advisory | CVE-2025-6218 |
| Category | misc |
| Severity | High |
| CVSS Score | N/A |
| Status | Weaponized |
| Tags | path-traversal, arbitrary-file-write, startup-folder, WinRAR, Windows, user-interaction |
| Related | N/A |
Affected Target
| Field | Value |
|---|---|
| Software / System | WinRAR archive extraction workflow |
| Versions Affected | WinRAR 7.11 and earlier |
| Language / Platform | Batch / Windows |
| Authentication Required | Partial (user interaction required) |
| Network Access Required | Local only |
Summary
This PoC demonstrates CVE-2025-6218 in WinRAR, where a crafted archive extraction path can place files outside the intended destination directory. The provided batch script builds a ZIP archive that writes a .bat file into the current user’s Startup folder. On vulnerable versions, extracting this archive via WinRAR’s extraction flow can lead to code execution on next logon.
Vulnerability Details
Root Cause
WinRAR path handling in the vulnerable extraction workflow allows traversal-like path placement during archive extraction, enabling attacker-controlled file write to sensitive user-writable locations such as Startup.
Attack Vector
An attacker prepares a crafted archive and delivers it to a target user. The user opens the archive with WinRAR and extracts it using the indicated extraction option. The extracted payload lands in the Startup folder.
Impact
Arbitrary file write to Startup can be abused for persistence and execution of attacker-controlled commands when the user logs in, resulting in local code execution in the victim user context.
Environment / Lab Setup
OS: Windows
Target: WinRAR 7.11 or earlier
Attacker: Authorized security tester
Tools: WinRAR (default install path), cmd.exe
Setup Steps
| |
Proof of Concept
Step-by-Step Reproduction
Generate crafted archive by running the batch script.
1exploit.batExtract in vulnerable WinRAR flow by right-clicking the ZIP, opening with WinRAR, and using **Extract to {folder}**.
Verify Startup drop at:
1%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartupLog off/on and observe
calc.exeexecution from Startup payload.
Exploit Code
See
exploit.batin this folder.
| |
Expected Output
[+] CVE-2025-6218.zip created successfully!
Screenshots / Evidence
screenshots/— add authorized lab screenshots showing Startup file placement and post-login execution.
Detection & Indicators of Compromise
- Unexpected .bat/.cmd files written to user Startup folders after archive extraction
- WinRAR extraction activity followed by new persistence artifacts in Startup
- Unexpected calculator or command execution at user logon
SIEM / IDS Rule (example):
Detect archive extraction process chain where WinRAR writes files under
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
Remediation
| Action | Detail |
|---|---|
| Patch | Upgrade WinRAR to 7.12 or later |
| Workaround | Avoid extracting untrusted archives; disable automatic Startup execution monitoring exceptions |
| Config Hardening | Monitor and alert on new files in Startup folders and restrict untrusted archive handling |
References
Notes
Auto-ingested from https://github.com/skimask1690/CVE-2025-6218-POC on 2026-05-15.
| |