A high-severity vulnerability in the 7-Zip file archiver allows attackers to bypass the Mark of the Web (MotW) Windows security feature and execute code on users’ computers when extracting malicious files from nested archives.
7-Zip added support for MotW in June 2022, starting with version 22.00. Since then, it has automatically added MotW flags (special ‘Zone.Id’ alternate data streams) to all files extracted from downloaded archives.
This flag informs the operating system, web browsers, and other applications that files may come from untrusted sources and should be treated with caution.
As a result, when double-clicking risky files extracted using 7-Zip, users will be warned that opening or running such files could lead to potentially dangerous behavior, including installing malware on their devices.
Microsoft Office will also check for the MotW flags, and if found, it will open documents in Protected View, which automatically enables read-only mode and disables all macros.
However, as Trend Micro explained in an advisory published over the weekend, a security flaw tracked as CVE-2025-0411 can let attackers bypass these security warnings and execute malicious code on their targets’ PCs.
“This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of 7-Zip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file,” Trend Micro says.
“The specific flaw exists within the handling of archived files. When extracting files from a crafted archive that bears the Mark-of-the-Web, 7-Zip does not propagate the Mark-of-the-Web to the extracted files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user.”
Luckily, 7-Zip developer Igor Pavlov has already patched this vulnerability on November 30, 2024, with the release of 7-Zip 24.09.
“7-Zip File Manager didn’t propagate Zone.Identifier stream for extracted files from nested archives (if there is open archive inside another open archive),” Pavlov said.
Similar flaws exploited to deploy malware
However, since 7-Zip doesn’t have an auto-update feature, many users are likely still running a vulnerable version that threat actors could exploit to infect them with malware.
All 7-Zip users should patch their installs as soon…
Click Here to Read the Full Original Article at BleepingComputer…