CVE-2025-6218 WinRAR Directory Traversal: แฮกเกอร์วางมัลแวร์ Startup Folder CVSS 7.8
WinRAR v7.11 ลงมา (Windows) ช่องโหว่ Directory Traversal อนุญาตให้ archive ร้ายวางไฟล์ใน System/Startup แพตช์ 7.12 beta 1 ออก 10 มิ.ย. 2025
ช่องโหว่สรุป
| รายละเอียด | ข้อมูล |
|---|---|
| CVE | CVE-2025-6218 |
| CVSS | 7.8 High |
| Affected | WinRAR ≤7.11 (Win) |
| Type | Directory Traversal |
| Impact | Startup persistence |
| Patch | 7.12 beta 1 |
การโจมตีแบบละเอียด
1. User เปิด malicious.rar (email/web)
2. Archive หลบ path → C:\Users\[user]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malware.exe
3. User restart → Malware auto-run
4. Steal: Cookies/Passwords/Keylogs/C2
Exploit PoC
Archive structure:
malicious.rar
└── ......\..\..\..\..\..\..\Windows\Start Menu\Programs\Startup\payload.exePath traversal: 12 "../" = Startup folder
Result: Auto-run on login
ผลกระทบรุนแรง
💰 Browser cookies → Session hijack
🔑 Password managers → Account takeover
📁 Document encryption
🌐 C2 implant → Botnet
✅ User-level (no admin needed)
Detection & Prevention
✅ WinRAR 7.12 beta 1+ (10 Jun 2025)
✅ Disable WinRAR auto-extract
✅ YARA rule WinRAR traversal
✅ EDR behavioral detection
❌ AV signatures (fileless)
YARA Detection Rule
rule WinRAR_CVE_2025_6218_Traversal {
strings:
$path1 = "..\\..\\..\\..\\..\\..\\" ascii wide fullword
$path2 = "Start Menu\\Programs\\Startup" ascii wide
condition:
2 of them
}
Mitigation Checklist
☑️ Update WinRAR → 7.12 beta 1
☑️ Disable archive auto-run
☑️ Block SMB/WinExec API
☑️ EDR startup folder monitor
☑️ Email attachment sandbox
Attack Timeline
Jun 2025: Zero Day Initiative disclosure
10 Jun: WinRAR 7.12 beta 1 patch
2 weeks: Mass exploit kits
Ongoing: Phishing campaigns
Enterprise Response
🚨 Patch WinRAR fleet-wide
🔍 Scan Startup folders
📊 SIEM alert "..\\..\\" patterns
🛡️ Block malicious IOCs
📋 User awareness training