Active Exploitation Reported for CVE-2025-0411 in 7-Zip

Observed exploitation has involved targeted spear-phishing campaigns, using homoglyph attacks to spoof document extensions to lure users

Threat ID:: CC-4610
Threat Severity:: Medium
Published:: 27 January 2025 4:58 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Observed exploitation has involved targeted spear-phishing campaigns, using homoglyph attacks to spoof document extensions to lure users

Affected platforms

The following platforms are known to be affected:

Versions: prior to 24.09

7-Zip

Threat details

Exploitation of CVE-2025-0411

A security firm reports observing active exploitation of CVE-2025-0411 in which double archiving files are used to bypass the Mark-of-the-Web (MotW) security feature and to evade security checks.

Observed exploitation has involved targeted spear-phishing campaigns, using homoglyph attacks, in which characters appear identical to others to spoof document extensions to lure users.

A security researcher has also publicly released a proof-of-concept (PoC) exploit for CVE-2025-0411. The PoC enables attackers to bypass the MotW security feature and execute code on users’ systems when extracting malicious files from nested archives.

Introduction

A proof-of-concept (PoC) exploit has been released for the vulnerability CVE-2025-0411 by a security researcher that demonstrates how the exploitation of CVE-2025-0411 in 7-Zip can be achieved. 7-Zip is a popular, free, and open-source file compression and extraction software.

CVE-2025-0411 is a 'Protection Mechanism Failure' vulnerability with a CVSSv3 score of 7.0. The specific flaw exists within the handling of archived files. The vulnerability could allow an attacker to craft an archive where 7-Zip will not apply the Mark-of-the-Web (MotW) to the extracted files. The MotW is a metadata identifier used by Microsoft Windows to mark files downloaded from the internet as potentially unsafe.

An attacker could leverage this vulnerability to bypass the MotW feature and execute arbitrary code in the context of the current user.

Active exploitation of CVE-2025-0411 has been observed in the wild.

Threat updates

Date	Update
4 Feb 2025	Cyber Alert changed to reflect exploitation in the wild

Remediation advice

Affected organisations are encouraged to update 7-Zip to version 24.09 or later as soon as practicable.

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2025-0411

7-Zip Mark-of-the-Web Bypass Vulnerability. This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of 7-Zip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of archived files. When extracting files from a crafted archive that bears the Mark-of-the-Web, 7-Zip does not propagate the Mark-of-the-Web to the extracted files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user. Was ZDI-CAN-25456.

Last edited: 4 February 2025 3:56 pm