A Proof-of-Concept (PoC) exploit has been publicly released for a high-severity vulnerability in the popular file archiver 7-Zip.
Tracked as CVE-2025-0411, this flaw allows attackers to bypass the Windows “Mark-of-the-Web” (MotW) security mechanism, potentially enabling the execution of arbitrary code. The vulnerability has been assigned a CVSS score of 7.0, reflecting its significant risk.
CVE-2025-0411 arises from improper handling of files extracted from crafted archives that carry the MotW flag. When users extract such files using vulnerable versions of 7-Zip, the extracted files fail to retain the MotW designation.
This oversight effectively disables critical security warnings and protections that alert users to potentially unsafe files downloaded from untrusted sources.
Attackers can exploit this flaw by crafting malicious nested archives and delivering them through phishing emails or compromised websites. Upon extraction, these files can execute arbitrary code in the context of the current user, bypassing standard Windows security measures.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
Exploitation and Proof-of-Concept Details
The PoC exploit demonstrates how attackers can weaponize this vulnerability by creating a double-compressed archive containing a malicious executable.
The exploit leverages the vulnerability to strip MotW metadata during extraction, allowing the malicious file to execute without triggering Windows’ SmartScreen warnings.
The PoC includes a loader that launches calc.exe as a demonstration of arbitrary code execution. Delivery methods outlined include hosting the malicious archive on payload servers like MediaFire and distributing it via phishing campaigns.
Execution requires user interaction, such as opening the compressed file and running the embedded executable.
All versions of 7-Zip prior to 24.09 are affected by this vulnerability. The issue was resolved in version 24.09, released on November 29, 2024.
Mitigation Measures
To protect against exploitation of CVE-2025-0411, users are urged to take the following steps:
- Update Software: Upgrade to 7-Zip version 24.09 or later, available on the official website.
- Exercise Caution: Avoid opening files from unknown or suspicious sources, particularly compressed archives.
- Leverage Security Tools: Ensure endpoint protection solutions are configured to detect and block malicious file activity.
The vulnerability poses a significant risk by undermining a key Windows security feature designed to prevent untrusted files from executing without scrutiny.
Attackers could use this flaw to distribute malware or gain unauthorized access to systems, particularly in environments where users have administrative privileges.
Security researchers credit Peter Girnus of Trend Micro Zero Day Initiative for discovering and reporting this vulnerability. The release of a PoC highlights the urgency for users and organizations to patch affected systems immediately.
While 7-Zip remains one of the most widely used file archivers globally, this incident underscores the importance of maintaining up-to-date software and exercising caution with untrusted files.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar
