7-Zip Fixes Critical Bug Endangering Your Security. Here’s A Quick Look at What to Know.

A critical vulnerability in the popular file archiving software 7-Zip has recently been patched. This bug allowed attackers to bypass the Windows Mark of the Web (MoTW) security feature, potentially enabling the execution of malicious code on users’ computers. The vulnerability, identified as CVE-2025-0411, was discovered by Trend Micro and has been assigned a high severity rating.

Understanding the Vulnerability

The flaw was found in the way 7-Zip handled archived files. When extracting files from a crafted archive that carried the MoTW flag, 7-Zip did not propagate this flag to the extracted files. This oversight allowed attackers to bypass critical security checks designed to protect against malicious content. By exploiting this vulnerability, an attacker could execute arbitrary code within the context of the current user.

Impact and Exploitation

Exploitation of this vulnerability required user interaction, such as visiting a malicious webpage or opening a malicious file. This made the vulnerability particularly concerning for environments where users frequently handle files from untrusted sources. Attackers could exploit this flaw to distribute malware or gain unauthorized access to systems, especially in environments where users have administrative privileges.

Patch and Recommendations

7-Zip developer Igor Pavlov released a patch for this vulnerability on November 30, 2024, with the release of version 24.09. The patch ensures that MoTW flags are correctly propagated to extracted files. However, since 7-Zip does not have an auto-update feature, many users are likely still running a vulnerable version. Therefore, all 7-Zip users are strongly advised to update their software to version 24.09 or later as soon as possible.

Broader Context

This is not the first time a vulnerability in 7-Zip has been exploited by attackers. In June 2024, Microsoft addressed a similar MoTW bypass vulnerability (CVE-2024-38213) that was exploited by the DarkGate malware operators. The financially motivated Water Hydra hacking group also exploited another MoTW bypass (CVE-2024-21412) in attacks targeting stock trading Telegram channels and forex trading forums.

Conclusion

The discovery and patching of this vulnerability highlight the importance of keeping software up to date to protect against potential security threats. Users and organizations should act swiftly to mitigate risks associated with this flaw and ensure their systems are protected from malicious attacks.

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it