A high-severity vulnerability in 7-Zip (CVE-2025-0411) allowed attackers to bypass Windows' Mark of the Web (MotW) security mechanism, enabling the execution of malicious code when extracting files from nested archives. MotW flags, introduced in 7-Zip version 22.00, help alert users and applications to potentially unsafe files downloaded from the internet.
Trend Micro reported that this flaw prevents 7-Zip from propagating the MotW flag to extracted files, enabling attackers to exploit it through crafted archives. Exploitation requires user interaction, such as visiting a malicious website or opening a harmful file.
The vulnerability has been patched in 7-Zip version 24.09, released on November 30, 2024. However, because 7-Zip lacks an auto-update feature, many users may still be running older, vulnerable versions.
Similar MotW bypasses have been used in malware attacks, including campaigns by the Water Hydra hacking group and DarkGate malware operators. Users are strongly urged to update 7-Zip promptly to avoid potential exploitation.
Read more...