The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently expanded its Known Exploited Vulnerabilities (KEV) catalog to include critical flaws found in Microsoft Windows and WinRAR. This move underscores the agency’s commitment to enhancing cybersecurity measures across various platforms.
Details of the Newly Added Vulnerabilities
The catalog now features two notable vulnerabilities:
- CVE-2025-6218 (CVSS score of 7.8) – RARLAB WinRAR Path Traversal Vulnerability
- CVE-2025-62221 (CVSS score of 7.8) – Microsoft Windows Use After Free Vulnerability
The first vulnerability, CVE-2025-6218, pertains to a directory traversal flaw in WinRAR, previously identified as ZDI-CAN-27198. This vulnerability allows attackers to execute arbitrary code by deceiving users into opening a malicious archive or visiting a compromised webpage. By manipulating file paths within the archive, attackers can write files outside the designated directories, thereby executing code with the user’s privileges.
“This vulnerability allows remote attackers to execute arbitrary code on affected installations of RARLAB WinRAR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file,” states the advisory. “The specific flaw exists within the handling of file paths within archive files. A crafted file path can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of the current user.”
This vulnerability was reported by a researcher known as whs3-detonator.
The second vulnerability, CVE-2025-62221, involves a use-after-free condition in the Windows Cloud Files Mini Filter Driver. This flaw enables an authorized attacker to elevate their privileges locally.
“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” the advisory explains.
In accordance with Binding Operational Directive (BOD) 22-01, which aims to mitigate the significant risks posed by known exploited vulnerabilities, federal agencies are mandated to address these identified vulnerabilities by the specified due date. This directive is crucial for safeguarding their networks against potential attacks that may exploit these flaws.
CISA has set a deadline for federal agencies to rectify these vulnerabilities by December 30, 2025. In light of these developments, experts also advise private organizations to consult the KEV catalog and take necessary measures to fortify their infrastructure against these vulnerabilities.
