A critical vulnerability in the 7-Zip file archiver (CVE-2025-0411) has been discovered, enabling attackers to bypass the Mark of the Web (MotW) Windows security feature.
This flaw allows malicious code execution on users’ systems by exploiting 7-Zip’s handling of nested archives.
The MotW feature, introduced in 7-Zip version 22.00 in June 2022, adds security flags (Zone.Id alternate data streams) to files extracted from downloaded archives. These flags inform the operating system and applications to treat such files as untrusted, prompting security warnings or restricting functionality. For example, Microsoft Office opens flagged documents in Protected View to prevent macro-based attacks.
However, Trend Micro highlighted a flaw in how 7-Zip propagates MotW flags during extraction. Attackers can craft malicious archives to bypass these protections, executing arbitrary code with the user’s permission. Exploitation requires user interaction, such as visiting a malicious site or opening a crafted file.
7-Zip developer Igor Pavlov addressed this issue in version 24.09, released on November 30, 2024. Despite the fix, 7-Zip’s lack of an auto-update feature leaves many users vulnerable, as older versions remain widely installed.
This vulnerability is particularly concerning given similar exploits in the past. In June 2024, Microsoft patched a MotW bypass (CVE-2024-38213) exploited by DarkGate malware operators to evade SmartScreen protection. Another bypass (CVE-2024-21412) was used by the Water Hydra hacking group to target trading platforms with the DarkMe remote access trojan (RAT).
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
To mitigate risks, users are strongly advised to update to 7-Zip version 24.09 immediately. Failure to patch could leave systems exposed to malware attacks leveraging this security gap.
