Vulnerability Management, Patch/Configuration Management, Threat Intelligence

High-severity flaw in file archiver 7-Zip requires manual update

A flaw in the 7-Zip open-source file archiver tool could enable attackers to craft archives that bypass Windows security warnings, potentially tricking targets into launching malware.

The vulnerability was revealed in an advisory published by Trend Micro on Sunday, which gave the flaw a high CVSS score of 7.0. The flaw is tracked as CVE-2025-0411.

7-Zip is a popular free file archiver for Windows with about 14,000 weekly downloads, mostly from the United States, according to its SourceForge page.

7-Zip has supported a Windows security mechanism called the Mark of the Web (MotW) since version 22.00, released in June 2022. The application applies the MotW metadata identifier, using an alternate data stream named “Zone.Identifier,” to label all files from downloaded archives as potentially unsafe.

When a user attempts to open a MotW-flagged file, a Windows popup will appear displaying a security warning and asking the user to confirm that they want to run the file. Documents that open in Microsoft Office will also open in Protected View, which disables macros and makes the file read-only, if the MotW is present.

An attacker can potentially prevent this popup warning from appearing for malicious downloaded files by crafting an archive that vulnerable versions of 7-Zip will not apply the MotW to. As 7-Zip developer Igor Pavlov noted in the release notes for the fixed version 24.09, the “Zone.Identifier” stream would not propagate for files from nested archives, where an open archive is contained within another open archive.

7-Zip does not update automatically, so users will need to manually install version 24.09, which was first released on Nov. 30, 2024, in order to patch the flaw.

Attackers have previously leveraged exploits that bypass MotW warnings, such as a Windows flaw that prevented any files extracted from internet-downloaded ZIP archives from being labeled with the MotW, which received an unofficial patch by 0patch in October 2022.

0patch also released an unofficial fix for another Microsoft flaw in November 2022 that prevented security warnings for files with malformed Authenticode signatures, even when the MotW is present. This flaw was exploited in a Magniber ransomware campaign that involved a MotW-flagged JavaScript file with a malformed signature.

Related

How to prepare for an effective web application penetration test 

At a time when data breaches and cyberattacks dominate headlines, web application security is top on the minds of IT leaders. By performing regular web application pen tests, possible vulnerabilities can be uncovered and steps taken to fortify your defenses. In this post, we'll discuss the importance of preparing for a pen test, the items that should be on your pen test checklist, and how to foster close collaboration with your pen testing team. 

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Brute ForceBuffer OverflowCorruptionCovert ChannelsDNS SpoofingDeepfakeDisruptionDistributed ScansDrive-by DownloadFault Line Attacks

You can skip this ad in 5 seconds