A high-severity vulnerability within the 7-Zip file archiver permits attackers to bypass the Mark of the Internet (MotW) Home windows safety characteristic and execute code on customers’ computer systems when extracting malicious recordsdata from nested archives.
7-Zip added assist for MotW in June 2022, beginning with model 22.00. Since then, it has mechanically added MotW flags (particular ‘Zone.Id’ alternate knowledge streams) to all recordsdata extracted from downloaded archives.
This flag informs the working system, net browsers, and different functions that recordsdata could come from untrusted sources and ought to be handled with warning.
In consequence, when double-clicking dangerous recordsdata extracted utilizing 7-Zip, customers will probably be warned that opening or operating such recordsdata might result in doubtlessly harmful habits, together with putting in malware on their gadgets.
Microsoft Workplace will even test for the MotW flags, and if discovered, it’s going to open paperwork in Protected View, which mechanically allows read-only mode and disables all macros.
Nonetheless, as Pattern Micro defined in an advisory printed over the weekend, a safety flaw tracked as CVE-2025-0411 can let attackers bypass these safety warnings and execute malicious code on their targets’ PCs.
“This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of 7-Zip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file,” Pattern Micro says.
“The specific flaw exists within the handling of archived files. When extracting files from a crafted archive that bears the Mark-of-the-Web, 7-Zip does not propagate the Mark-of-the-Web to the extracted files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user.”
Fortunately, 7-Zip developer Igor Pavlov has already patched this vulnerability on November 30, 2024, with the discharge of 7-Zip 24.09.
“7-Zip File Manager didn’t propagate Zone.Identifier stream for extracted files from nested archives (if there is open archive inside another open archive),” Pavlov stated.
Related flaws exploited to deploy malware
Nonetheless, since 7-Zip would not have an auto-update characteristic, many customers are seemingly nonetheless operating a susceptible model that risk actors might exploit to contaminate them with malware.
All 7-Zip customers ought to patch their installs as quickly as potential, contemplating that such vulnerabilities are sometimes exploited in malware assaults.
As an illustration, in June, Microsoft addressed a Mark of the Internet safety bypass vulnerability (CVE-2024-38213) that DarkGate malware operators have exploited within the wild as a zero-day since March 2024 to bypass SmartScreen safety and set up malware camouflaged as installers for Apple iTunes, NVIDIA, Notion, and different reputable software program.
The financially motivated Water Hydra (aka DarkCasino) hacking group has additionally exploited one other MotW bypass (CVE-2024-21412) in assaults focusing on inventory buying and selling Telegram channels and foreign currency trading boards with the DarkMe distant entry trojan (RAT).
