WinRAR Directory Traversal & NTFS ADS Vulnerabilities (CVE-2025-6218 & CVE-2025-8088)

Executive Summary

Two high-severity vulnerabilities in WinRAR for Windows — CVE-2025-6218 and CVE-2025-8088 — allow attackers to write files outside the intended extraction directory. CVE-2025-6218 involves traditional path traversal, while CVE-2025-8088 extends the attack using NTFS Alternate Data Streams (ADS). Both flaws can be exploited by delivering a malicious archive to a user and relying on minimal interaction (just extraction).

Why it matters: These flaws enable reliable persistence and remote code execution (RCE) in enterprise environments. Threat actors, including RomCom and Paper Werewolf (aka GOFFEE), have exploited CVE-2025-8088 in active campaigns.

Vulnerability Overview

• CVE-2025-6218
  • Type: Directory Traversal during extraction
  • Affected: WinRAR for Windows 7.11 and earlier (before 7.12 Beta 1)
  • Fixed in12 Beta 1
  • Impact: Files can be dropped outside the target extraction directory, e.g., into Windows Startup.
• CVE-2025-8088
  • Type: Directory Traversal via NTFS ADS syntax (txt: stream)
  • Affected: WinRAR for Windows 7.12 and earlier
  • Fixed in13.
  • Impact: Attackers can hide payloads in ADS or place them into autorun locations for stealthy persistence.
• Affected Components: WinRAR for Windows (GUI/CLI), UnRAR/UnRAR.dll, portable UnRAR (Windows builds)

Technical Details

CVE-2025-6218 – Directory Traversal in Archive Extraction

Root Cause: The RARReadHeader / RARProcessFile routines in WinRAR fail to normalize or validate relative path components (‘..\’, ‘../’). Attackers can force file writes outside the extraction directory without canonicalizing and bounding the output path.

Trigger: Any malicious RAR/ZIP archive containing file entries with traversal sequences in their header metadata.

ExamplePayloadPath:
..\..\..\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malicious.exe

Impact: File lands in Startup folder → auto-executes on login under user privileges.

Variant Notes: This exploit works for both absolute and relative extraction destinations. It does not require overwriting existing files — it can create new ones.

The vulnerability is exploitable whether the archive entry’s stored path is absolute (full system path) or relative (using traversal sequences).

Absolute path example:
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\evil.exe
When extracted, the file is placed directly in the Startup folder, ignoring the chosen extraction directory.

Relative path example:
..\..\..\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\evil.exe
The ‘..\’ sequences walk up the directory tree from the extraction location, then down into the Startup folder.

No Need to Overwrite Existing Files: The flaw allows new files to be created in sensitive locations even if they didn’t exist. This enables persistence without replacing trusted binaries, reducing the chance of triggering integrity alerts. Example: Dropping evil.lnk or malware.exe into Startup ensures auto-run on login.

CVE-2025-8088 – ADS-Assisted Path Traversal

Root Cause: Same traversal flaw as CVE-2025-6218, but the extraction code also fails to block NTFS ADS syntax in filenames (‘:’ character followed by stream name).

NTFS ADS Basics: An NTFS file can have multiple data streams: the main unnamed stream (default content) and any number of named alternate streams (e.g., ‘readme.txt: payload.exe’). Windows Explorer and most file listings don’t show ADS, making them useful for hiding content.

Example Payload Path:
..\..\..\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\readme.txt: malicious.exe

Impact: The payload of a benign-looking file in the Startup folder is stored in ADS. A loader script may execute it later or side-load it via another process.

Why It’s Worse: ADS hides the malicious binary from casual inspection and some legacy security tools, delaying detection.

Observed Exploitation: Threat actors use it for stealth persistence plus staging malware for later execution.

Attack Chain

1. Prepare Payload: Attacker embeds malicious executable/script in archive using traversal and/or ADS syntax.
2. Deliver Archive: Sent via email, instant messaging, or malicious download links.
3. Victim Extraction: User extracts with vulnerable WinRAR/UnRAR.
4. Silent Path Escape: Payload lands in Startup or other sensitive locations.
5. Automatic Execution: Runs on reboot/login with user privileges.

Exploitation in the Wild

• RomCom: Used CVE-2025-8088 as a zero-day in spear-phishing starting mid-July 2025, delivering backdoors via autorun locations.
• Paper Werewolf: Observed exploiting similar traversal flaws against Russian targets.
• Forecast: Expect copycat campaigns — trivial to weaponize, high persistence rate.

Protection:

• Trojan.49857.GC
• Trojan.49856.GC
• Romcom.49869.SL
• Ghanarava.1754899322556336
• Agent.S37377547
• Agent.S37377548

Indicators of Compromise (IoCs):

SHA-256	Detection Name
49023b86fde4430faf22b9c39e921541e20224c47fa46ff473f880d5ae5bc1f1	Bat.Trojan.49857.GC
a25d011e2d8e9288de74d78aba4c9412a0ad8b321253ef1122451d2a3d176efa	Lnk.Trojan.49856.GC
4da20b8b16f006a6a745032165be68c42efef9709c8e133e39d4b6951cca5179	Lnk.Trojan.49856.GC
8082956ace8b016ae8ce16e4a777fe347c7f80f8a576a6f935f9d636a30204e7	Trojan.Ghanarava.1754899322556336

Others –

File/Path Patterns

• Writes to:
  • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\*.exe
• Presence of ADS (: in filename):
  • txt: payload.exe
• Unexpected files outside the intended extraction folder.

Process/Behavior

• exe / UnRAR.exe spawning processes (cmd.exe, powershell.exe) post-extraction.
• ADS creation events (Sysmon Event ID 15).

Registry/Autorun

• Dropped Startup files (no registry needed).
• Monitor HKCU\Software\Microsoft\Windows\CurrentVersion\Run for related changes.

MITRE ATT&CK Mapping

• T1059 – Command and Scripting Interpreter
• T1204 – User Execution
• 001 – Registry Run Keys / Startup Folder
• 004 – NTFS File Attributes (ADS)
• T1027 – Obfuscated Files or Information

Patch Verification

• Confirm version 13 on all endpoints.
• Validate signatures & checksums of installer.
• Test with crafted traversal/ADS archives to ensure blocking.

Conclusion

CVE-2025-6218 and CVE-2025-8088 show how insufficient path validation and overlooked NTFS features can lead to stealthy persistence and RCE. Exploitation requires minimal user interaction, and both flaws have been used in real-world attacks. Immediate patching, combined with proactive hunting for ADS and Startup modifications, is essential for defense.

References

1. RARLAB – Official WinRAR Security Advisory (August 2025)
   https://www.rarlab.com/rar/winrar-security.htm
   (Vendor confirmation of affected versions and fixes)
2. National Vulnerability Database (NVD) – CVE-2025-6218
   https://nvd.nist.gov/vuln/detail/CVE-2025-6218
   (Technical classification, CVSS score, CWE mapping)
3. National Vulnerability Database (NVD) – CVE-2025-8088
   https://nvd.nist.gov/vuln/detail/CVE-2025-8088
   (Technical classification, CVSS score, CWE mapping)
4. Malwarebytes Labs – “WinRAR Zero-Day Exploited in the Wild” (August 2025)
   https://blog.malwarebytes.com/
   (Covers RomCom’s exploitation of CVE-2025-8088)
5. ESET Research – “APT Campaigns Using WinRAR Vulnerabilities”
   https://www.welivesecurity.com/
   (Threat actor campaigns & IOC context)
6. Microsoft Defender Threat Intelligence – “Detecting ADS Abuse in Windows”
   https://learn.microsoft.com/en-us/windows/security/threat-protection/
   (Guidance on detecting NTFS ADS creation events)
7. MITRE ATT&CK – Technique T1547.001 (Startup Folder) & T1564.004 (ADS)
   https://attack.mitre.org/
   (Mapping for persistence & hiding techniques)

 

Authors:

Nandini Vimal Seth

Suvarnjeet Milind Jagtap