Critical 7-Zip Vulnerability Allows Remote Attackers to Bypass Security

A recently revealed vulnerability in the widely used file archiving software 7-Zip, tracked as CVE-2025-0411, has sparked considerable security concerns.

This issue allows remote attackers to circumvent Windows' Mark-of-the-Web (MOTW) protection, potentially allowing the execution of arbitrary code on vulnerable systems. With a CVSS score of 7.0, the flaw is considered to be of high severity.

7-Zip Code Execution Vulnerability

The problem arises from the improper handling of files extracted from specially crafted archives that include the MOTW flag. When a user extracts these files using vulnerable versions of 7-Zip, the MOTW designation is not preserved.

This oversight allows attackers to bypass essential security measures meant to defend against malicious content. By exploiting this vulnerability, an attacker could execute arbitrary code within the context of the affected user.

Exploitation of this vulnerability requires user interaction, such as visiting a malicious website or opening a harmful file. This makes the flaw especially concerning in environments where users regularly handle files from untrusted sources.

Additionally, another code execution vulnerability in 7-Zip, identified as CVE-2024-11477, was discovered in version 24.07. This flaw allows attackers to execute arbitrary code within the current process when users interact with malicious archives.

The vulnerability affects all versions of 7-Zip up to 24.07. Users are strongly urged to update to version 24.09, which resolves the issue and ensures proper handling of MOTW flags for extracted files.

• October 1, 2024: The vulnerability was reported to the vendor.

• January 19, 2025: Coordinated public disclosure and release of the patched version.

This vulnerability presents a serious threat to users, as it compromises a critical Windows security feature meant to prevent untrusted files from running without proper review. Attackers could leverage this flaw to spread malware or gain unauthorized access to systems, especially in environments where users have administrative privileges.

The Zero Day Initiative has credited researcher Peter Girnus for discovering and reporting this vulnerability.

To mitigate the CVE-2025-0411 vulnerability in 7-Zip, users and administrators should follow these steps:

1. Update 7-Zip to the Latest Version:

   • Immediately upgrade to 7-Zip version 24.09 or later. This update addresses the vulnerability and ensures proper handling of the MOTW flags on extracted files.

2. Limit User Privileges:

   • Restrict administrative privileges to reduce the potential impact of exploitation. Ensure that users do not run applications or extract files with elevated privileges unless necessary.

3. Enable Windows Defender SmartScreen:

   • Ensure that Windows Defender SmartScreen is enabled. It can help block access to potentially malicious files and websites, adding an extra layer of protection.

4. Educate Users on Security Best Practices:

   • Train users to avoid interacting with files from untrusted sources. Advise caution when downloading or opening files, especially from suspicious or unknown websites.

5. Monitor for Unusual Activity:

   • Regularly monitor systems for signs of exploitation, such as unusual file activity or processes running with elevated privileges. Utilize intrusion detection and prevention systems (IDPS) for enhanced monitoring.