- Security researchers warned of a vulnerability in previous versions of 7-Zip
- The vulnerability allowed threat actors to bypass the Web Brand security feature.
- The bug was fixed at the end of November 2024.
A high severity vulnerability was recently discovered and patched in the popular open source file archiving solution 7-Zip. Since the product does not have an automatic update function, users are recommended to manually update to the latest version as soon as possible.
The vulnerability in question is tracked as CVE-2025-0411. It is described as a Marking of the Web (MotW) bypass, which allows threat actors to execute malicious code on target endpoints that extract files from nested archives. It was given a severity score of 7/10: high.
Mark of the Web is a Windows security feature that marks files downloaded from the Internet as potentially unsafe by adding metadata indicating their origin. This helps prevent malicious scripts or executables from being automatically executed, prompting users to confirm before opening such files.
Patching the defect
7-Zip added support for MotW in June 2022, in version 22.00. However, the feature was implemented incorrectly and could be bypassed. In a recently published advisory, cybersecurity researchers Trend Micro explain:
“This vulnerability allows remote attackers to bypass the Web Marking protection mechanism on affected 7-Zip installations. User interaction is required to exploit this vulnerability, as the target must visit a malicious page or open a malicious file”. the researchers said.
“The specific flaw exists in the handling of archived files. When extracting files from a crafted archive that carries the Web Mark, 7-Zip does not propagate the Web Mark to the extracted files. The attacker can exploit this vulnerability to execute arbitrary code in the context of the current user.”
The bug has since been mitigated and a version 24.09 was released in late November 2024.
“7-Zip File Manager did not propagate the Zone.Identifier stream for files extracted from nested files (if there is an open file inside another open file),” explained project developer Igor Pavlov.
Through beepcomputer
