Overview
- CISA placed CVE-2025-6218 and CVE-2025-62221 on the Known Exploited Vulnerabilities catalog with a December 30, 2025 remediation due date for federal civilian agencies under BOD 22-01.
- CVE-2025-6218 is a WinRAR path traversal that enables code execution when a user opens a malicious archive or visits a malicious page, affecting Windows builds and patched in WinRAR 7.12 released in June.
- Security vendors report active use of CVE-2025-6218 by GOFFEE (Paper Werewolf), Bitter, and Gamaredon, including phishing that replaces Word’s Normal.dotm to auto-run macros and drop a C# trojan contacting johnfashionaccess[.]com.
- Gamaredon has leveraged the WinRAR flaw against Ukrainian military and government targets to deliver Pteranodon, with related activity also linked to earlier WinRAR path traversal CVE-2025-8088.
- CVE-2025-62221 is a use-after-free in the Windows Cloud Files Mini Filter Driver exploited in the wild for local privilege escalation to SYSTEM, increasing impact when paired with initial access vectors.