CISA Flags Active Exploitation of WinRAR and Windows Vulnerabilities

Federal cybersecurity authorities have issued urgent warnings after confirming that threat actors are actively exploiting two significant security flaws—one affecting the widely-used WinRAR file compression software and another targeting a core Windows system component. The Cybersecurity and Infrastructure Security Agency (CISA) added both vulnerabilities to its Known Exploited Vulnerabilities catalog on December 9, 2025, triggering mandatory remediation deadlines for federal agencies while strongly urging private sector organizations to take immediate action.

Two Critical Threats Enter CISA's Danger Zone

The agency flagged CVE-2025-6218, a path traversal vulnerability in RARLAB's WinRAR, and CVE-2025-62221, a use-after-free weakness in the Windows Cloud Files Mini Filter Driver. Both flaws demonstrate fundamentally different attack patterns yet share a common thread: confirmed real-world exploitation that places systems at immediate risk.

The WinRAR vulnerability enables attackers to execute arbitrary code when victims open specially crafted archive files. The flaw carries a CVSS score of 7.8 and allows attackers to execute code in the context of the current user, meaning successful exploitation grants whatever privileges the victim user possesses—potentially devastating when targeting administrator accounts.

Meanwhile, the Windows vulnerability represents an even more insidious threat. CVE-2025-62221 allows authenticated local attackers with low privileges to elevate their privileges to SYSTEM level by exploiting a use-after-free weakness in the Windows Cloud Files Mini Filter Driver. This kernel-mode memory corruption bug essentially transforms limited foothold access into complete system domination.

WinRAR's Troubled History Continues

WinRAR has emerged as a recurring target for sophisticated threat actors throughout 2025. The newly cataloged CVE-2025-6218 represents the second path traversal vulnerability in the archiving tool to receive KEV designation this year. Earlier in August, ESET researchers discovered CVE-2025-8088, another WinRAR zero-day vulnerability that Russia-aligned threat group RomCom actively exploited in spearphishing campaigns targeting financial, manufacturing, defense, and logistics companies in Europe and Canada between July 18-21, 2025.

The attack methodology reveals why these vulnerabilities prove so effective. Attackers craft RAR files that exploit directory traversal bugs to force files into locations chosen by the attacker rather than the user's intended extraction folder, particularly targeting Windows autorun directories where malicious executables launch automatically upon user login.

Crucially, CVE-2025-6218 was already patched in a WinRAR update released on June 10, 2025. Yet organizations continue falling victim—a stark reminder that patch availability means nothing without deployment. The attack surface expands dramatically given WinRAR's massive install base, with hundreds of millions of users worldwide relying on the software for daily file archiving tasks.

Windows Driver Weakness Provides Privilege Escalation Highway

The Windows Cloud Files Mini Filter Driver vulnerability affects systems ranging from Windows 10 Version 1809 through the latest Windows 11 Version 25H2 and Windows Server 2025. This component manages cloud storage integration—specifically the system that enables Windows to treat cloud-stored files as local entries without downloading their full content until accessed, a functionality heavily relied upon by services like OneDrive.

The use-after-free condition occurs when a program attempts to access memory that has already been deallocated and returned to system control. In kernel-mode contexts, such memory corruption vulnerabilities become catastrophic because they operate with the highest system privileges. Microsoft disclosed the vulnerability in its December 9, 2025 Patch Tuesday release and confirmed exploitation had been detected in the wild, though the company has not shared specific details about the threat actors or exploitation methods.

Security researchers emphasize the severity of privilege escalation vulnerabilities in post-compromise scenarios. Once attackers gain initial access through phishing, credential theft, or social engineering, elevation of privilege flaws like CVE-2025-62221 transform limited access into complete network compromise. The low attack complexity and lack of required user interaction make automated exploitation particularly feasible for advanced persistent threats already established within target networks.

Federal Agencies Face December 30 Deadline

CISA's Binding Operational Directive 22-01 requires Federal Civilian Executive Branch agencies to remediate KEV-listed vulnerabilities by December 30, 2025. This three-week remediation window reflects the agency's assessment of immediate exploitation risk—these aren't theoretical concerns but confirmed active threats.

Though BOD 22-01 applies exclusively to federal agencies, CISA consistently emphasizes that KEV catalog additions signal widespread exploitation potential. Organizations maintaining WinRAR installations must verify they're running version 7.13 or later, which addresses both CVE-2025-6218 and the previously exploited CVE-2025-8088. Notably, WinRAR lacks automatic update functionality, requiring manual intervention from IT administrators to deploy patches across enterprise environments.

For Windows environments, Microsoft's December 2025 cumulative updates contain fixes for CVE-2025-62221. Organizations should prioritize deployment to high-value systems first, particularly domain controllers, privileged access workstations, and servers with sensitive data access. The vulnerability affects every supported Windows version, making this a comprehensive patching operation rather than a targeted fix.

Lessons From Repeated Exploitation

The pattern emerging from these disclosures reveals uncomfortable truths about organizational security postures. CVE-2025-6218 was patched six months before CISA added it to the KEV catalog, yet exploitation continued unabated. This suggests massive patch deployment gaps across enterprise environments—gaps that sophisticated adversaries systematically inventory and exploit.

Similarly, the Windows driver vulnerability underscores how kernel-mode components remain attractive targets precisely because they bridge user interactions with system-level privileges. The Cloud Files Mini Filter Driver processes complex inputs from user space including IOCTLs, placeholder metadata, and reparse points—all potential attack surfaces where memory safety errors can cascade into complete system compromise.

Organizations should treat KEV additions not as isolated incidents but as threat intelligence indicators. When CISA confirms active exploitation, it typically means multiple threat actors possess working exploits and are using them in campaigns. The federal remediation deadline serves as a reasonable timeline for private sector organizations to achieve similar security improvements.

Beyond patching, defense-in-depth strategies remain essential. Implement principle of least privilege to minimize the impact of successful privilege escalation attacks. Deploy endpoint detection and response solutions configured to detect anomalous privilege elevation attempts and unusual kernel-mode driver activity. Train users to recognize phishing attempts that deliver malicious archives, and consider implementing application allowlisting to prevent unauthorized executables from launching—even when written to autorun directories.

The recurring exploitation of archiving utilities like WinRAR highlights a broader challenge: ubiquitous software becomes ubiquitous attack surface. When hundreds of millions of users rely on a tool for daily tasks, it becomes economically rational for attackers to invest resources into discovering and exploiting its vulnerabilities. Organizations must maintain current software inventories, automate patch deployment where possible, and rapidly address manual patching requirements for software like WinRAR that lacks built-in update mechanisms.