CISA adds CVE-2025-6218 and CVE-2025-62221 to KEV catalog

CISA has added vulnerabilities affecting RARLAB WinRAR and Microsoft Windows to its Known Exploited Vulnerabilities (KEV) catalog, identifying a path traversal flaw in WinRAR and a use-after-free flaw in Windows and noting evidence of active exploitation.

The entries listed are CVE-2025-6218: RARLAB WinRAR Path Traversal Vulnerability, and CVE-2025-62221: Microsoft Windows Use After Free Vulnerability, as published in the KEV catalog.

The advisory states these categories of vulnerabilities are frequent attack vectors for malicious cyber actors and pose risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01 established the KEV Catalog as a living list and requires Federal Civilian Executive Branch agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats.

Although BOD 22-01 applies only to Federal Civilian Executive Branch agencies, CISA urges all organizations to prioritize timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice and notes it will continue to add vulnerabilities that meet the specified criteria.