WinRAR Vulnerability Exploited to Target Government Agencies

WinRAR Vulnerability Exploited to Target Government Agencies

Category: <h2 class="cBlue inline m-r-10">Arti<span class="cOrange">cles</span></h2>

WinRAR Vulnerability Exploited to Target Government Agencies

Information:

  WinRAR is a program for managing data, whether files or folders. You can use the program to compress various data files to the desired smaller size or to extract compressed zip files back into normal files and folders for use. It supports compression of .RAR and .ZIP file types and comes with a system for secure and confident protection, management, and file sharing.

Encryption is performed every time using AES 256-bit technology to enhance security. You can set passwords and metadata.

Incident :

  APT-C-08 exploits WinRAR vulnerability CVE-2025-6218, a directory traversal flaw affecting WinRAR versions 7.11 and earlier.The issue stems from improper path normalization during file extraction, specifically when paths contain a space after the “..” notation, allowing attackers to bypass security checks.This is the first observed case of APT-C-08 weaponizing this vulnerability.Due to the vulnerability’s low exploitation complexity and the widespread failure of users to update WinRAR, it provides an ideal attack surface.

Attack Methods :

  Attackers deliver weaponized RAR archives via email or file-sharing platforms.When victims extract the RAR file using vulnerable WinRAR versions, the flaw allows malicious files to be written into restricted directories.The attack implants a weaponized Normal.dotm file into Microsoft Word’s Templates directory.When Word is opened, malicious macros execute automatically without user interaction.The macros connect to a C2 (command-and-control)  server to download additional payloads and execute remote commands.Attackers gather system information and deliver further malware such as C# trojans, maintaining persistent access.

Attack Details :

Exploitation TechniqueAttackers embed malicious paths such as:

  • /.. /.. /AppData/Roaming/Microsoft/Templates/Normal.dotm and
  • /.. /.. /.. /AppData/Roaming/Microsoft/Templates/Normal.dotm

A space after “..” enables bypassing WinRAR path validation.When extracted, the malicious Normal.dotm is placed in:

  • C:Users[username]AppDataRoamingMicrosoftTemplates

Payload Behavior Normal.dotm contains auto-executing malicious macros.Macros download additional components such as winnsc.exe. The downloader collects: Hostname, Username, OS version Data is sent to C2 (Command and Control) servers:teamlogin.esanojinjasvc[.]com And tapeqcqoptions[.]com Additional payloads include C# trojans associated with APT-C-08.

Solution :

1.Users should immediately update WinRAR to the latest version that includes a fix for the CVE-2025-6218 vulnerability.Avoid

2.opening RAR files from untrusted or unknown sources, as this vulnerability can be exploited through specially crafted archive files.

3.Run WinRAR or any extraction tools in a restricted environment, such as a sandbox or virtual machine (VM), to reduce risk if the file contains malicious code.

4.Use antivirus software and Endpoint Detection and Response (EDR) solutions that can detect and block potential threats.

5.Limit write permissions in critical directories, such as the Startup folder or user profile directories, to reduce the chance of malicious files being planted.

6.Educate users to be cautious about opening RAR files or email attachments from untrusted sources.

7.Limit WinRAR execution permissions to administrators only to enhance security layers.

 

The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
061 387 9439 (Ms.Sirilak)
092 257 6902 (Ms.Narusorn)
063 197 7510 (Mr.Yanotai)
065 725 7405 (Ms.Nattharini)

 

References :

Weekly Interesting CVE

NO.

CVE Name

Published Date

Last Update

Device/Appplication/OS Target

Attack Type

CVSS
Severity Rating

Detail

Solution

Reference
1

CVE-2025-27918

6/11/2025

7/11/2025

AnyDesk before 9.0.0

Heap-Based Overflow

9.8

An issue was discovered in AnyDesk before 9.0.0. It has an integer overflow and resultant heap-based buffer overflow via a UDP packet during processing of an Identity user image within the Discovery feature, or when establishing a connection between any two clients.

Upgrade to version 9.0.0 or later

 

https://nvd.nist.gov/vuln/detail/CVE-2025-27918
2

CVE-2025-46364

5/11/2025

7/11/2025

Dell Cloud Link
versions 8.0 through 8.1.2

OS Command Injection

9.1

Dell CloudLink, versions 8.0 through 8.1.2, contain vulnerability on restricted shell. A Privileged user with known password can break into command shell of CloudLink server and gain access of shell and escalate privilege, gain unauthorized access of system. If ssh is enabled with web credentials of server, attack is possible through network with known privileged user/password.

Upgrade to version 8.2 or later

https://nvd.nist.gov/vuln/detail/CVE-2025-45378
3

CVE-2025-20354

5/11/2025

6/11/2025

Cisco Unified CCX

Remote Code Execution

9.8

arbitrary file read and write and similar unauthorized actions when mutual SSL/TLS authentication is not enabled.

update patch

https://nvd.nist.gov/vuln/detail/CVE-2025-20354

 
 4

CVE-2025-55108

5/11/2025

6/11/2025

Control-M/Agent
UNIX/Linux, Windows

version 9.0.22 and lower

Remote Code Execution

9.5

FastGPT is an AI Agent building platform. Prior to version 4.11.1, in the workflow file reading node, the network link is not security-verified, posing a risk of SSRF attacks. This issue has been patched in version 4.11.1.

Upgrade Control-M/Agents to version 9.0.21.xxx or 9.0.22

https://nvd.nist.gov/vuln/detail/CVE-2025-55108
5

CVE-2025-11546

7/11/2025

7/11/2025

CLUSTERPRO X for Linux
and EXPRESSCLUSTER X for Linux

version 4.0, 4.1, 4.2, 5.0, 5.1 and 5.2

Command Injection

9.3

allows an attacker sends specially crafted network packets to the product, arbitrary OS commands may be executed without authentication.

update patch

https://nvd.nist.gov/vuln/detail/CVE-2025-11546

Malware News or Campaign IOC/IOA | EN

No

Campaign Name

Detection Date

Attack

Type

  

Description

  

Mitigation/Remediation
1

GlassWorm malware returns on OpenVSX with 3 new VSCode extensions

08/11/2025

Information-Stealer, Payload extensions, Dropper/

Loader

Malware found in Visual Studio Code on Marketplaces, which has been downloaded over 10,000 times

  The malware, dubbed GlassWorm, targets OpenVSX and is able to extend and connect to Solana's C2 servers and transactions. The extensions that carry the malware are named ai-driven-dev.ai-driven-dev, adhamu.history-in-sublime-merge, and yasuyuky.transient-emacs. The malware's goal is to steal data and mine cryptocurrency.

  Koi Security found that the malware was spreading across the world, particularly in the US, Europe, Asia, and government agencies in the Middle East.
  • Make an audit of your installed extensions.
  • Scan new extensions before you install them.
  • Install extensions you need, and remove extensions that are no longer in use.
  • Evaluate extensions before installing them
  • Be careful when using auto update might install malware when auto-update is turned on.
  • Keep an extension inventory.
  • Consider a centralized allowlist for VSCode extensions.

Ref:https://www.truesec.com/hub/blog/glassworm-self-propagating-vscode-extension

 

 

19 November 2025

Viewed 223 time

Engine by shopup.com