A high-severity vulnerability in the 7-Zip file archiver allows attackers to bypass the Mark of the Web (MotW) Windows security feature and execute code on users’ computers when extracting malicious files from nested archives.
7-Zip added support for MotW in June 2022, starting with version 22.00. Since then, it has automatically added MotW flags (special ‘Zone.Id’ alternate data streams) to all files extracted from downloaded archives.
This flag informs the operating system, web browsers, and other applications that files may come from untrusted sources and should be treated with caution.
As a result, when double-clicking risky files extracted using 7-Zip, users will be warned that opening or running such files could lead to potentially dangerous behavior, including installing malware on their devices.
Microsoft Office will also check for the MotW flags, and if found, it will open documents in Protected View, which automatically enables read-only mode and disables all macros.
However, as Trend Micro explained in an advisory published over the weekend, a security flaw tracked as CVE-2025-0411 can let attackers bypass these security warnings and execute malicious code on their targets’ PCs.
“This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of 7-Zip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file,” Trend Micro says.
“The specific flaw exists within the handling of archived files. When extracting files from a crafted archive that bears the Mark-of-the-Web, 7-Zip does not propagate the Mark-of-the-Web to the extracted files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user.”
Luckily, 7-Zip developer Igor Pavlov has already patched this vulnerability on November 30, 2024, with the release of 7-Zip 24.09.
“7-Zip File Manager didn’t propagate Zone.Identifier stream for extracted files from nested archives (if there is open archive inside another open archive),” Pavlov said.
Similar flaws exploited to deploy malware
However, since 7-Zip doesn’t have an auto-update feature, many users are likely still running a vulnerable version that threat actors could exploit to infect them with malware.
All 7-Zip users should patch their installs as soon as possible, considering that such vulnerabilities are often exploited in malware attacks.
For instance, in June, Microsoft addressed a Mark of the Web security bypass vulnerability (CVE-2024-38213) that DarkGate malware operators have exploited in the wild as a zero-day since March 2024 to circumvent SmartScreen protection and install malware camouflaged as installers for Apple iTunes, NVIDIA, Notion, and other legitimate software.
The financially motivated Water Hydra (aka DarkCasino) hacking group has also exploited another MotW bypass (CVE-2024-21412) in attacks targeting stock trading Telegram channels and forex trading forums with the DarkMe remote access trojan (RAT).
