A significant security vulnerability has been identified in the popular file archiver 7-Zip, allowing attackers to bypass the Windows Mark of the Web (MotW) security feature. This flaw, tracked as CVE-2025-0411, poses a serious risk as it enables malicious code execution when users extract files from nested archives.
Overview of the vulnerability
The MotW feature, which 7-Zip integrated in June 2022, is designed to alert users about potentially unsafe files downloaded from the internet. It does this by adding specific flags to files extracted from downloaded archives. These flags trigger warnings in Windows and applications like Microsoft Office, prompting users to exercise caution when opening such files. However, the newly discovered vulnerability undermines this protective mechanism by failing to propagate the MotW flags to extracted files from certain crafted archives. As a result, users may unknowingly execute harmful software without receiving appropriate warnings. Trend Micro highlighted that while user interaction is necessary for exploitation—such as visiting a malicious webpage or opening a compromised file—the implications of this flaw are severe. Attackers can exploit this weakness to run arbitrary code with the privileges of the current user, potentially leading to system compromise.
Response and mitigation
In response to this critical issue, 7-Zip’s developer Igor Pavlov released a patch on November 30, 2024, with version 24.09 addressing the vulnerability. The update ensures that the Zone.Identifier stream is correctly propagated for extracted files from nested archives. However, since 7-Zip lacks an auto-update feature, many users may still be operating on vulnerable versions. Given the history of similar vulnerabilities being exploited in real-world attacks—such as those leveraged by malware operators like DarkGate and Water Hydra—users are urged to update their installations immediately. The urgency is underscored by previous incidents where attackers have successfully used MotW bypass vulnerabilities to deploy malware disguised as legitimate software.