WinRAR Vulnerability Allowed Malware Execution During Archive Extraction

Red Dog Security

26 Jun 2025 — 1 min read

A critical path traversal vulnerability (CVE-2025-6218) in WinRAR has been patched after researchers discovered it could allow malware to execute automatically when extracting archives. The flaw received a CVSS score of 7.8 and was reported by security researcher whs3-detonator through Zero Day Initiative in early June 2025.

Affected Versions & Fix

Impacted: Windows versions of WinRAR 7.11 and later
Fixed in: WinRAR 7.12 beta 1 (released this week)

How the Exploit Worked

A maliciously crafted RAR archive could override user-specified extraction paths using a manipulated relative path.
This allowed files to be extracted into system directories or auto-start folders (e.g., Startup).
If the extracted files were malware, they could execute automatically upon the next Windows login.

Potential Risks

While the malware would run with user-level privileges (not admin/SYSTEM), it could still:

Steal browser cookies, saved passwords, and sensitive data
Establish persistence on the victim’s system
Provide attackers with remote access

Additional Fix: HTML Injection Flaw

WinRAR 7.12 beta 1 also patched an HTML injection vulnerability in report generation, reported by researcher Marcin Bobryk.

Archive filenames containing < or > could be interpreted as raw HTML tags in reports.
If opened in a browser, this could lead to HTML/JS injection attacks.

Recommendation

Users should update to WinRAR 7.12 beta 1 or later immediately to mitigate these risks.

Key Points:

CVE-2025-6218 allowed malware execution via archive extraction.
Malicious archives could force files into autostart locations.
Fixed in WinRAR 7.12 beta 1 (older versions remain vulnerable).
Secondary patch prevents HTML injection in reports.
No admin rights needed—malware could still steal data or enable remote access.

352 Android Apps Infected with IconAds Adware

Security researchers at Human Security have uncovered a massive ad fraud operation dubbed IconAds, involving 352 malicious Android apps previously available on the Google Play Store. At its peak, the campaign generated over 1.2 billion ad requests per day, primarily targeting users in Brazil, Mexico, and the United States.

AI Chatbots Like ChatGPT Are Providing Fake URLs for Major Companies

Cybersecurity analysts at Netcraft have uncovered a troubling trend: AI chatbots frequently generate incorrect or misleading URLs when asked to provide official website links for major brands. According to researchers, this flaw opens a dangerous new vector for phishing and domain hijacking attacks. Key Findings from Netcraft’s Study The

Hackers Leak Allegedly Stolen Telefónica Data

A hacker is threatening to release 106 GB of data allegedly stolen from Spanish telecommunications giant Telefónica, though the company firmly denies any recent breach or data compromise. The threat actor, operating under the alias “Rey,” claims the intrusion occurred on May 30, during which over 12 hours of data

.es Domains Become 19 Times More Popular Among Phishers

Cybersecurity researchers at Cofense report a dramatic rise in phishing campaigns leveraging .es domains, which are officially reserved for Spanish-language websites or entities based in Spain. The use of these domains by cybercriminals has surged 19-fold since the beginning of 2025, making .es the third most exploited top-level domain (TLD)