If you use WinRAR, it’s time to update. The file-archiving utility has patched a serious vulnerability that can be exploited to launch malware from a booby-trapped RAR file. 

After a user reported the threat earlier this month to antivirus provider Trend Micro, WinRAR released version 7.12 today, which fixes the bug.

The problem affects earlier Windows versions of WinRAR, which has over 500 million users worldwide. In the release notes, WinRAR says: “A specially crafted archive containing arbitrary code could be used to manipulate file paths during extraction. User interaction is required to exploit this vulnerability, which could cause files to be written outside the intended directory.

“This flaw could be exploited to place files in sensitive locations — such as the Windows Startup folder — potentially leading to unintended code execution on the next system login,” the release notes added. 

This Tweet is currently unavailable. It might be loading or has been removed.

The danger could appear if a booby-trapped RAR file is circulated to unsuspecting users, whether through a file download or a torrent. The vulnerability, dubbed CVE-2025-6218, has been given a 7.8 score, indicating it is a “high” severity threat. 

It’s unclear if hackers ever exploited the flaw. But a mysterious user named “whs3-detonator” discovered and reported the threat through Trend Micro’s Zero Day Initiative, which focuses on rewarding security researchers who disclose previously unknown software vulnerabilities. 

Unfortunately, WinRAR doesn’t have an auto-update feature. So users will need to manually download and install the new version to get the patch. Otherwise, their PCs will remain at risk.

“This issue affects only Windows-based builds,” the WinRAR team added. “Versions of RAR and UnRAR for Unix, the portable source code on Unix, and RAR for Android are not affected.”

Get Our Best Stories!

Stay Safe With the Latest Security News and Updates

Sign up for our SecurityWatch newsletter for our most important privacy and security stories delivered right to your inbox.

Sign up for our SecurityWatch newsletter for our most important privacy and security stories delivered right to your inbox.

By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.

Thanks for signing up!

Your subscription has been confirmed. Keep an eye on your inbox!

About Michael Kan

Senior Reporter

I’ve been working as a journalist for over 15 years—I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017.

Read Michael’s full bio

Read the latest from Michael Kan