A dangerous vulnerability discovered in 7-Zip could allow attackers to bypass protection systems

A critical vulnerability has been identified in the popular 7-Zip archiving software. This vulnerability allows attackers to bypass an important Windows security feature—the “Mark-of-the-Web” (MotW) mechanism.

The vulnerability, tracked as CVE-2025-0411, has been assigned a CVSS security rating of 7.0, indicating a significant risk level.

CVE-2025-0411 arises from improper handling during the extraction of specially crafted archive files marked with the MotW attribute. Vulnerable versions of 7-Zip fail to retain the MotW metadata during extraction. This compromises the ability to detect potentially malicious files downloaded from untrusted sources, effectively disabling a crucial security mechanism.

Attackers can exploit this vulnerability by creating malicious archives and distributing them via phishing emails or compromised websites. When a user extracts such an archive, the dangerous files bypass Windows security protections and execute within the user’s privileges.

A published Proof-of-Concept (PoC) exploit demonstrates how attackers can weaponize this vulnerability. The exploit uses a two-stage process, leveraging a double-compressed archive to execute a malicious file (e.g., calc.exe).

During exploitation:

• The MotW metadata is removed during file extraction.
• Malicious files execute without any warnings, bypassing Windows SmartScreen security features.

Attackers may host malicious files on platforms like MediaFire and distribute them through phishing campaigns. Users must open the archive and execute the contained program to trigger the attack.

All versions of 7-Zip prior to 24.09 are affected by this vulnerability. It was fixed in version 24.09, released on November 29, 2024.

Recommendations to Ensure Security:

1. Update your software. Download and install version 24.09 or later from the official 7-Zip website.
2. Handle files cautiously. Avoid opening archive files from unknown or suspicious sources.
3. Use security tools. Configure endpoint protection solutions capable of detecting and blocking malicious file activity.

This vulnerability is particularly concerning as it undermines MotW, a critical Windows security feature against untrusted and potentially harmful files. Systems operated by users with administrative privileges are especially at risk, as the vulnerability could facilitate widespread malware distribution and unauthorized system access.

The release of the PoC exploit underscores the importance of timely system updates for both individuals and organizations.

Although 7-Zip remains one of the world’s most popular file archiving tools, this incident highlights the critical need to keep software up to date and exercise caution when handling unknown files.

Take action today: update your 7-Zip software and strengthen your cybersecurity!