Mark-of-the-Web Bypass Vulnerability in 7-Zip by 7-Zip
CVE-2025-0411
Key Information:
Badges
What is CVE-2025-0411?
CVE-2025-0411 is a vulnerability affecting the 7-Zip file archiving software, a widely used application for managing compressed files and archives. The vulnerability is categorized as a Mark-of-the-Web bypass, meaning it allows malicious entities to circumvent the security measures that protect users from potentially harmful files downloaded from the internet. This flaw enables an attacker to extract malicious files without the expected security warnings, posing significant risks to organizations relying on this software for data compression and file management.
Technical Details
The vulnerability stems from a specific flaw in the way 7-Zip handles archived files. When a user extracts files from a specially crafted archive file that includes the Mark-of-the-Web attribute, the software fails to retain this attribute on the extracted files. Consequently, this oversight can be exploited by an attacker who has crafted a malicious archive, allowing them to execute arbitrary code once the files are extracted by the user. The attack requires user interaction, as the victim needs to either access a malicious web page or open a compromised file to trigger the exploit.
Potential Impact of CVE-2025-0411
-
Arbitrary Code Execution: The primary risk associated with this vulnerability is the ability for attackers to execute arbitrary code on the victim's machine, which can lead to unauthorized access and control over the system.
-
Malware Deployment: By leveraging this vulnerability, attackers can deploy malware, ransomware, or other harmful software onto the affected systems, potentially leading to further compromises and data theft.
-
User Data Compromise: The exploitation of this vulnerability can result in the exposure of sensitive user data, as attackers may gain access to files and information stored on the compromised device, leading to privacy breaches and financial loss.
CISA Reported
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.
The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
7-Zip 24.08 (x64)
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
Get notified when SecurityVulnerability.io launches alerting ๐
Well keep you posted ๐ง
News Articles
Help Net SecurityWeek in review: Exploited 7-Zip 0-day flaw, crypto-stealing malware found on App Store, Google Play - Help Net Security
Hereโs an overview of some of last weekโs most interesting news, articles, interviews and videos: Russian cybercrooks exploiting 7-Zip zero-day
2 weeks ago
GBHackers NewsCVE-2025-04117-Zip 0-Day Flaw Added to CISAโs List of Actively Exploited Vulnerabilities
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical 0-day vulnerability affecting the popular file compression utility.
2 weeks ago
CybersecurityNewsCVE-2025-04117-Zip Vulnerability Actively Exploited in The Wild in Attacks - CISA Adds Its Catalog
A critical vulnerability in the popular file archiving tool 7-Zip (CVE-2025-0411) has been actively exploited in the wild/
2 weeks ago
References
CVSS V3.1
Timeline
- ๐ฆ
CISA Reported
- ๐ฅ
Vulnerability reached the number 1 worldwide trending spot
- ๐ฐ
Used in Ransomware
- ๐
Vulnerability started trending
Vulnerability published
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
- ๐ฐ
First article discovered by CybersecurityNews
Vulnerability Reserved