CVE-2025-0411
published 2025-01-25CVE-2025-0411: 7-Zip Mark-of-the-Web Bypass Vulnerability. This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected…
PriorityP181high7CVSS 3.1
AVLACHPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-02-27
Exploited in the wild
EPSS
67.07%
99.2th percentile
7-Zip Mark-of-the-Web Bypass Vulnerability. This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of 7-Zip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the handling of archived files. When extracting files from a crafted archive that bears the Mark-of-the-Web, 7-Zip does not propagate the Mark-of-the-Web to the extracted files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user. Was ZDI-CAN-25456.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 7-zip | 7-zip | < 24.09 | 24.09 |
| 7-zip | 7-zip | — | — |
| 7-zip | p7zip | >= 0 < 16.02+transitional.1 | 16.02+transitional.1 |
| debian | 7zip | — | — |
| debian | p7zip | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x37\x7A\xBC\xAF\x27\x1C
- →Detect MoTW bypass via double-nested archives: flag files extracted from an archive-within-an-archive (e.g., outer.zip/inner.zip/payload) that are missing a Zone.Identifier ADS with ZoneId=3, especially when the outer archive carries MoTW. ↗
- →Hunt for executables or scripts dropped without a Zone.Identifier ADS (missing MoTW) that originate from a double-encapsulated archive extraction by 7-Zip versions prior to 24.09. ↗
- →Detect homoglyph-based filename spoofing: look for filenames or domains containing Cyrillic characters (e.g., Cyrillic 'Es' U+0441) mixed with Latin characters, particularly in archive contents or email attachments, to identify extension-spoofing attempts. ↗
- →Flag .url files with spoofed ZIP archive icons extracted from nested 7-Zip archives as high-risk; these are used to trick users into executing SmokeLoader payloads without MoTW warnings. ↗
- →Detect double-extension executables (e.g., .pdf.exe) dropped from nested archives as an indicator of CVE-2025-0411 exploitation delivering SmokeLoader. ↗
- ·The bypass works regardless of the archive format used for the outer or inner archive — it is not limited to .zip or .7z containers. ↗
- ·MoTW propagation failure means downstream Windows security controls (SmartScreen reputation/signature checks and Office Protected View macro blocking) will not trigger on extracted payloads. ↗
CVSS provenance
nvdv3.17.0HIGHCVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv3.07.0HIGHCVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
osv7.0HIGH
vulncheck7.0HIGH
cisa7.0HIGH
vendor_debian7.0LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
7-Zip Mark of the Web Bypass Vulnerability
cisa·2025-02-06·CVSS 7.0
CVE-2025-0411 [HIGH] CWE-693 7-Zip Mark of the Web Bypass Vulnerability
Vulnerability: 7-Zip Mark of the Web Bypass Vulnerability
Affected: 7-Zip 7-Zip
7-Zip contains a protection mechanism failure vulnerability that allows remote attackers to bypass the Mark-of-the-Web security feature to execute arbitrary code in the context of the current user.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://www.7-zip.org/history.txt ; https://nvd.nist.gov/vuln/detail/CVE-2025-0411
Remediation Due Date: 2025-02-27
Debian
CVE-2025-0411: 7zip - 7-Zip Mark-of-the-Web Bypass Vulnerability. This vulnerability allows remote att...
vendor_debian·2025·CVSS 7.0
CVE-2025-0411 [HIGH] CVE-2025-0411: 7zip - 7-Zip Mark-of-the-Web Bypass Vulnerability. This vulnerability allows remote att...
7-Zip Mark-of-the-Web Bypass Vulnerability. This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of 7-Zip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of archived files. When extracting files from a crafted archive that bears the Mark-of-the-Web, 7-Zip does not propagate the Mark-of-the-Web to the extracted files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user. Was ZDI-CAN-25456.
Scope: local
bookworm: resolved
forky: resolved
sid: resolved
trixie: resolved
OSV
CVE-2025-0411: 7-Zip Mark-of-the-Web Bypass Vulnerability
osv·2025-01-25·CVSS 7.0
CVE-2025-0411 [HIGH] CVE-2025-0411: 7-Zip Mark-of-the-Web Bypass Vulnerability
7-Zip Mark-of-the-Web Bypass Vulnerability. This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of 7-Zip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of archived files. When extracting files from a crafted archive that bears the Mark-of-the-Web, 7-Zip does not propagate the Mark-of-the-Web to the extracted files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user. Was ZDI-CAN-25456.
GHSA
GHSA-2pjx-wvcg-vhr8: 7-Zip Mark-of-the-Web Bypass Vulnerability
ghsa_unreviewed·2025-01-25
CVE-2025-0411 [HIGH] CWE-693 GHSA-2pjx-wvcg-vhr8: 7-Zip Mark-of-the-Web Bypass Vulnerability
7-Zip Mark-of-the-Web Bypass Vulnerability. This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of 7-Zip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the handling of archived files. When extracting files from a crafted archive that bears the Mark-of-the-Web, 7-Zip does not propagate the Mark-of-the-Web to the extracted files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user. Was ZDI-CAN-25456.
VulnCheck
7-Zip Mark of the Web Bypass Vulnerability
vulncheck·2025·CVSS 7.0
CVE-2025-0411 [HIGH] CWE-693 7-Zip Mark of the Web Bypass Vulnerability
7-Zip Mark of the Web Bypass Vulnerability
7-Zip contains a protection mechanism failure vulnerability that allows remote attackers to bypass the Mark-of-the-Web security feature to execute arbitrary code in the context of the current user.
Affected: 7-Zip 7-Zip
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.trendmicro.com/en_us/research/25/a/cve-2025-0411-ukrainian-organizations-targeted.html; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://isc.sans.edu/diary/Reminder%3A%207-Zip%20%26%20MoW/31668; https://asec.ahnlab.com/ko/87042/; https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-APT-and-financial-attacks-on-industrial-o
No detection rules found.
No public exploits indexed.
Trendmicro
CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks
blogs_trendmicro·2025-02-04·CVSS 7.0
CVE-2025-0411 [HIGH] CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks
Exploits & Vulnerabilities
## CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks
The ZDI team offers an analysis on how CVE-2025-0411, a zero-day vulnerability in 7-Zip, was actively exploited to target Ukrainian organizations in a SmokeLoader campaign involving homoglyph attacks.
By: Peter Girnus 2025/02/04 Read time: ( words)
Save to Folio
Windows MoTW is an important part of the Windows security architecture and is needed for other key Windows protection mechanisms to function, such as:
Windows Defender SmartScreen, which examines files based on reputation and signature.
Microsoft Office Protected View, which protects users from threats such as malicious macros and Dynamic Data Exchange (DDE) attacks.
The root cause of CVE-2025-0411 is tha
Trendmicro
CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks
blogs_trendmicro·2025-02-04·CVSS 7.0
CVE-2025-0411 [HIGH] CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks
Ausnutzung von Schwachstellen
## CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks
The ZDI team offers an analysis on how CVE-2025-0411, a zero-day vulnerability in 7-Zip, was actively exploited to target Ukrainian organizations in a SmokeLoader campaign involving homoglyph attacks.
By: Peter Girnus Feb 04, 2025 Read time: ( words)
Save to Folio
Windows MoTW is an important part of the Windows security architecture and is needed for other key Windows protection mechanisms to function, such as:
Windows Defender SmartScreen, which examines files based on reputation and signature.
Microsoft Office Protected View, which protects users from threats such as malicious macros and Dynamic Data Exchange (DDE) attacks.
The root cause of CVE-2025-0411 i
Trendmicro
CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks
blogs_trendmicro·2025-02-04·CVSS 7.0
CVE-2025-0411 [HIGH] CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks
Exploits y vulnerabilidades
## CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks
The ZDI team offers an analysis on how CVE-2025-0411, a zero-day vulnerability in 7-Zip, was actively exploited to target Ukrainian organizations in a SmokeLoader campaign involving homoglyph attacks.
By: Peter Girnus Feb 04, 2025 Read time: ( words)
Save to Folio
Windows MoTW is an important part of the Windows security architecture and is needed for other key Windows protection mechanisms to function, such as:
Windows Defender SmartScreen, which examines files based on reputation and signature.
Microsoft Office Protected View, which protects users from threats such as malicious macros and Dynamic Data Exchange (DDE) attacks.
The root cause of CVE-2025-0411 is
Trendmicro
CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks
blogs_trendmicro·2025-02-04·CVSS 7.0
CVE-2025-0411 [HIGH] CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks
Exploits & Vulnerabilities
## CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks
The Trend ZDI team offers an analysis on how CVE-2025-0411, a zero-day vulnerability in 7-Zip, was actively exploited to target Ukrainian organizations in a SmokeLoader campaign involving homoglyph attacks.
By: Peter Girnus Feb 04, 2025 Read time: ( words)
Save to Folio
Windows MoTW is an important part of the Windows security architecture and is needed for other key Windows protection mechanisms to function, such as:
Windows Defender SmartScreen, which examines files based on reputation and signature.
Microsoft Office Protected View, which protects users from threats such as malicious macros and Dynamic Data Exchange (DDE) attacks.
The root cause of CVE-2025-041
Trendmicro
CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks
blogs_trendmicro·2025-02-04·CVSS 7.0
CVE-2025-0411 [HIGH] CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks
Exploits & Vulnerabilities
# CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks
The ZDI team offers an analysis on how CVE-2025-0411, a zero-day vulnerability in 7-Zip, was actively exploited to target Ukrainian organizations in a SmokeLoader campaign involving homoglyph attacks.
By: Peter Girnus
2025/02/04
Read time: ( words)
Save to Folio
# Summary
- In September, 2024 the Zero Day Initiative (ZDI) Threat Hunting team identified the exploitation of a 7-Zip zero-day vulnerability used in a SmokeLoader malware campaign targeting Ukrainian entities.
- The vulnerability, CVE-2025-0411, was disclosed to 7-Zip creator Igor Pavlov, leading to the release of a patch in version 24.09 on November 30, 2024.
- CVE-2025-0411 allows the bypassing of Windo
Bleepingcomputer
7-Zip MotW bypass exploited in zero-day attacks against Ukraine
blogs_bleepingcomputer·2025-02-04·CVSS 7.0
[HIGH] 7-Zip MotW bypass exploited in zero-day attacks against Ukraine
## 7-Zip MotW bypass exploited in zero-day attacks against Ukraine
## Bill Toulas
A 7-Zip vulnerability allowing attackers to bypass the Mark of the Web (MotW) Windows security feature was exploited by Russian hackers as a zero-day since September 2024.
According to Trend Micro researchers, the flaw was used in SmokeLoader malware campaigns targeting the Ukrainian government and private organizations in the country.
The Mark of the Web is a Windows security feature designed to warn users that the file they're about to execute comes from untrusted sources, requesting a confirmation step via an additional prompt. Bypassing MoTW allows malicious files to run on the victim's machine without a warning.
When downloading documents and executables from the web or received as an email attachme
Trendmicro
CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks
blogs_trendmicro·2025-02-04·CVSS 7.0
CVE-2025-0411 [HIGH] CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks
Exploits y vulnerabilidades
## CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks
The Trend ZDI team offers an analysis on how CVE-2025-0411, a zero-day vulnerability in 7-Zip, was actively exploited to target Ukrainian organizations in a SmokeLoader campaign involving homoglyph attacks.
By: Peter Girnus Feb 04, 2025 Read time: ( words)
Save to Folio
Windows MoTW is an important part of the Windows security architecture and is needed for other key Windows protection mechanisms to function, such as:
Windows Defender SmartScreen, which examines files based on reputation and signature.
Microsoft Office Protected View, which protects users from threats such as malicious macros and Dynamic Data Exchange (DDE) attacks.
The root cause of CVE-2025-04
Trendmicro
CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks
blogs_trendmicro·2025-02-04·CVSS 7.0
CVE-2025-0411 [HIGH] CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks
Ausnutzung von Schwachstellen
## CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks
The Trend ZDI team offers an analysis on how CVE-2025-0411, a zero-day vulnerability in 7-Zip, was actively exploited to target Ukrainian organizations in a SmokeLoader campaign involving homoglyph attacks.
By: Peter Girnus Feb 04, 2025 Read time: ( words)
Save to Folio
Windows MoTW is an important part of the Windows security architecture and is needed for other key Windows protection mechanisms to function, such as:
Windows Defender SmartScreen, which examines files based on reputation and signature.
Microsoft Office Protected View, which protects users from threats such as malicious macros and Dynamic Data Exchange (DDE) attacks.
The root cause of CVE-2025-
Trendmicro
CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks
blogs_trendmicro·2025-02-04·CVSS 7.0
CVE-2025-0411 [HIGH] CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks
Exploits & Vulnerabilities
## CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks
The Trend ZDI team offers an analysis on how CVE-2025-0411, a zero-day vulnerability in 7-Zip, was actively exploited to target Ukrainian organizations in a SmokeLoader campaign involving homoglyph attacks.
By: Peter Girnus 2025/02/04 Read time: ( words)
Save to Folio
Windows MoTW is an important part of the Windows security architecture and is needed for other key Windows protection mechanisms to function, such as:
Windows Defender SmartScreen, which examines files based on reputation and signature.
Microsoft Office Protected View, which protects users from threats such as malicious macros and Dynamic Data Exchange (DDE) attacks.
The root cause of CVE-2025-0411
Trendmicro
CVE-2025-0411: Ukrainian Organisations Targeted in Zero-Day Campaign and Homoglyph Attacks
blogs_trendmicro·2025-02-04·CVSS 7.0
CVE-2025-0411 [HIGH] CVE-2025-0411: Ukrainian Organisations Targeted in Zero-Day Campaign and Homoglyph Attacks
Exploits & Vulnerabilities
## CVE-2025-0411: Ukrainian Organisations Targeted in Zero-Day Campaign and Homoglyph Attacks
The ZDI team offers an analysis on how CVE-2025-0411, a zero-day vulnerability in 7-Zip, was actively exploited to target Ukrainian organisations in a SmokeLoader campaign involving homoglyph attacks.
By: Peter Girnus Feb 04, 2025 Read time: ( words)
Save to Folio
Windows MoTW is an important part of the Windows security architecture and is needed for other key Windows protection mechanisms to function, such as:
Windows Defender SmartScreen, which examines files based on reputation and signature.
Microsoft Office Protected View, which protects users from threats such as malicious macros and Dynamic Data Exchange (DDE) attacks.
The root cause of CVE-2025-0411 is t
Trendmicro
CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks
blogs_trendmicro·2025-02-04·CVSS 7.0
CVE-2025-0411 [HIGH] CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks
Exploits & Vulnerabilities
# CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks
The Trend ZDI team offers an analysis on how CVE-2025-0411, a zero-day vulnerability in 7-Zip, was actively exploited to target Ukrainian organizations in a SmokeLoader campaign involving homoglyph attacks.
By: Peter Girnus
2025/02/04
Read time: ( words)
Save to Folio
# Summary
- In September, 2024 the Trend Zero Day Initiative™ (ZDI) Threat Hunting team identified the exploitation of a 7-Zip zero-day vulnerability used in a SmokeLoader malware campaign targeting Ukrainian entities.
- The vulnerability, CVE-2025-0411, was disclosed to 7-Zip creator Igor Pavlov, leading to the release of a patch in version 24.09 on November 30, 2024.
- CVE-2025-0411 allows the bypas
Trendmicro
CVE-2025-0411: Ukrainian Organisations Targeted in Zero-Day Campaign and Homoglyph Attacks
blogs_trendmicro·2025-02-04·CVSS 7.0
CVE-2025-0411 [HIGH] CVE-2025-0411: Ukrainian Organisations Targeted in Zero-Day Campaign and Homoglyph Attacks
Exploits & Vulnerabilities
## CVE-2025-0411: Ukrainian Organisations Targeted in Zero-Day Campaign and Homoglyph Attacks
The Trend ZDI team offers an analysis on how CVE-2025-0411, a zero-day vulnerability in 7-Zip, was actively exploited to target Ukrainian organisations in a SmokeLoader campaign involving homoglyph attacks.
By: Peter Girnus Feb 04, 2025 Read time: ( words)
Save to Folio
Windows MoTW is an important part of the Windows security architecture and is needed for other key Windows protection mechanisms to function, such as:
Windows Defender SmartScreen, which examines files based on reputation and signature.
Microsoft Office Protected View, which protects users from threats such as malicious macros and Dynamic Data Exchange (DDE) attacks.
The root cause of CVE-2025-041
Bleepingcomputer
7-Zip fixes bug that bypasses Windows MoTW security warnings, patch now
blogs_bleepingcomputer·2025-01-21·CVSS 7.0
[HIGH] 7-Zip fixes bug that bypasses Windows MoTW security warnings, patch now
## 7-Zip fixes bug that bypasses Windows MoTW security warnings, patch now
## Sergiu Gatlan
A high-severity vulnerability in the 7-Zip file archiver allows attackers to bypass the Mark of the Web (MotW) Windows security feature and execute code on users' computers when extracting malicious files from nested archives.
7-Zip added support for MotW in June 2022 , starting with version 22.00. Since then, it has automatically added MotW flags (special 'Zone.Id' alternate data streams) to all files extracted from downloaded archives.
This flag informs the operating system, web browsers, and other applications that files may come from untrusted sources and should be treated with caution.
As a result, when double-clicking risky files extracted using 7-Zip, users will be warned that opening o
https://www.zerodayinitiative.com/advisories/ZDI-25-045/http://www.openwall.com/lists/oss-security/2025/01/24/6https://security.netapp.com/advisory/ntap-20250207-0005/https://www.vicarius.io/vsociety/posts/cve-2025-0411-7-zip-mitigation-vulnerabilityhttps://www.vicarius.io/vsociety/posts/cve-2025-0411-detection-7-zip-vulnerabilityhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-0411
2025-01-25
Published
2025-02-06
Added to CISA KEV
Exploited in the wild