CVE-2025-6218 PoC — RARLAB WinRAR Directory Traversal Remote Code Execution Vulnerability

Source

https://github.com/mulwareX/CVE-2025-6218-POC

Associated Vulnerability

Title:RARLAB WinRAR Directory Traversal Remote Code Execution Vulnerability (CVE-2025-6218)
Description:RARLAB WinRAR Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of RARLAB WinRAR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of file paths within archive files. A crafted file path can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27198.

Description

RARLAB WinRAR Directory Traversal Remote Code Execution

Readme

RARLAB WinRAR Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of RARLAB WinRAR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the handling of file paths within archive files. A crafted file path can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27198.

# 📦 Multi-Traversal ZIP Payload Generator

This Python script creates a specially crafted ZIP archive exploiting a **WinRAR Directory Traversal Remote Code Execution** vulnerability (ZDI-CAN-27198). The archive includes a payload designed to be extracted into the **Windows Startup** folder, allowing for execution upon the next user login.
CVE-2025-6218-POC

> **⚠️ WARNING**: This tool is provided for educational and research purposes only. Unauthorized use may be illegal and unethical. Always obtain proper authorization before testing on any system.

---

## 🔥 Vulnerability Overview

- **Affected Software**: WinRAR (all versions prior to patch)
- **CVE / ZDI Reference**: ZDI-CAN-27198
- **Attack Vector**: Malicious ZIP file
- **Impact**: Remote Code Execution (RCE) upon archive extraction

By embedding a payload with directory traversal sequences (`.. .\\.. .\\...`), the ZIP tricks WinRAR into extracting files outside the current directory—e.g., into the victim’s **Startup folder**:
AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup


---
## 🎞️ Demo Preview

![Demo](cve.gif)


## 🧰 Features

- Injects payload into Startup folder using 3 to 7 levels of directory traversal
- It will work even if the zip is extracted in 7 directories deep
- Optionally includes a decoy **normal file** to appear legitimate
- Supports arbitrary payload file

---

## 🚀 Usage

### ▶️ Requirements
- Python 3.x

### ▶️ Command Line
```bash
python3 zip_payload_generator.py --payload payload.bat --normal decoy.pdf --output backdoor.zip
```

⚠️ Disclaimer

This project is for educational and authorized penetration testing only. The creator is not responsible for any misuse or damage caused by this tool. Always comply with local laws and regulations.

File Snapshot


 [4.0K]  /data/pocs/c6ccf35dcd7d7717917cc94bed7ae3c35bed3703
├── [3.5M]  cve.gif
├── [2.3K]  README.md
└── [2.3K]  zip_payload_generator.py

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!