A critical vulnerability in the popular 7-Zip file archiver, identified as CVE-2025-0411, has been actively exploited in the wild, primarily targeting Ukrainian entities[1]. This zero-day flaw allows attackers to bypass Windows’ Mark of the Web (MoTW) security feature, enabling the execution of malicious code without user warnings. This poses a significant threat, as it lowers the barrier for malware distribution and can lead to widespread compromise.
Vulnerability: A MoTW Bypass
The core issue lies in how 7-Zip’s handles archived files. Windows uses the MoTW to tag files downloaded from the internet. This tag is crucial for security, as it allows Windows to display warnings before executing potentially dangerous files. CVE-2025-0411[2,3] arises because 7-Zip fails to propagate the MoTW to files extracted from specially crafted archives. An attacker can create a malicious archive, and when a user extracts its contents using a vulnerable version of 7-Zip, the extracted files lose their MoTW. This allows malicious code to run without triggering the usual Windows security prompts, effectively silencing the built-in warning system.
MoTW warnings in Windows
Technical Details: Severity and Impact
With an assigned a CVSS score of 7.0[3], indicating a significant level of severity. The impact is substantial, as it allows for arbitrary code execution. This means an attacker can run any program they want on the victim’s computer with the same privileges as the user running 7-Zip. The consequences can be dire, ranging from malware installation and data theft to complete system takeover.
Exploitation: Targeting Ukraine
Security researchers at Trend Micro have uncovered evidence of this vulnerability being actively exploited in targeted attacks, primarily aimed at Ukrainian government organizations and private entities[1].
The attacks have been attributed to Russian hacking groups and have been used to distribute SmokeLoader malware. SmokeLoader is a known malware dropper, meaning its primary function is to download and install other malicious payloads onto compromised systems. The MoTW bypass provided by CVE-2025-0411 significantly facilitates the spread of SmokeLoader and any subsequent malware it installs.
Proof-of-Concept and Increased Risk
Compounding the problem, a proof-of-concept (PoC) exploit for CVE-2025-0411 has been publicly released[4]. This PoC demonstrates how an attacker can craft a malicious archive that, when extracted with a vulnerable version of 7-Zip, results in arbitrary code execution without MoTW warnings. The availability of a PoC significantly lowers the barrier to entry for attackers, making widespread exploitation much more likely. Even less sophisticated attackers can now leverage the PoC to create their own malicious archives.
Mitigation: Update
The 7-Zip development team has addressed this vulnerability in version 24.09, released on November 30, 2024[1]. This update ensures that the MoTW is correctly propagated to extracted files, restoring Windows’ security prompts.[5] However, 7-Zip does not have an automatic update feature. Users must manually download and install the latest version from the official 7-Zip website (www.7-zip.org).
Recommendations for Protection:
- Update 7-Zip: Important to ensure the running version 24.09 or later.
- Verify File Sources: Need to exercise extreme caution when handling files from untrusted sources, especially those received via email or downloaded from the internet. Be wary of unexpected attachments or downloads.
- Security Software: It’s important to ensure defender is up to date. While they might not catch every instance, they provide an additional layer of protection.
- Monitor for Suspicious Activity: Important to be vigilant for any unusual behavior on the system, such as unexpected pop-ups, slow performance, or unfamiliar programs running.
Conclusion:
CVE-2025-0411 is a serious vulnerability that has been actively exploited in targeted attacks. The lack of an auto-update feature in 7-Zip, combined with the public availability of a PoC, increases the risk of widespread exploitation. Updating to version 24.09 is paramount. Users should also practice safe file handling habits and remain vigilant for suspicious activity. This incident serves as a reminder of the importance of staying updated with security patches and practicing safe computing habits.
References
- Author: Bill Toulas, Link: https://www.bleepingcomputer.com/news/security/7-zip-motw-bypass-exploited-in-zero-day-attacks-against-ukraine/
- https://www.kaspersky.com/blog/cve-2025-0411-motw-subvert/52907/
- Author: Daryna Antoniuk , Link: https://therecord.media/smokeloader-malware-russia-ukraine-financial-institutions
- https://digital.nhs.uk/cyber-alerts/2025/cc-4610
- https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-005
- Image Source: https://www.bleepstatic.com/images/news/software/7/7-zip/motw/windows-motw-download-warning.jpg
Very well-structured articulation, Kaushik!
Interestingly, acknowledging that 7-Zip has had a long-standing presence since 1999 with well-documented, monitored, maintained, and continuously tested version releases, many IT consultations considered 7-Zip to score 9 in the Technology Readiness Level (TRL). However, 7-Zip lacks an auto-updated feature which puts the software updating effort on the users instead of the developer. This significant desired feature puts users at risk who could lack of security knowledge of ignoring the update as unnecessary. I became aware of the 7-Zip CVE instantly last November when my robust Wuzah Security Information Event Management (SIEM) tool alerted me that I had to update the 7-Zip on my computers [1]. What I like about Wazuh, it checks my computers against CVE databases (such as MITRE) identifying vulnerable computers [2].
[1] Wazuh. (n.d.). Wazuh: The Open Source Security Platform. Retrieved [date], from https://wazuh.com
[2] MITRE Corporation. (n.d.). Common vulnerabilities and exposures (CVE). Retrieved February 5, 2025, from https://cve.mitre.org
Nice post , Kaushik!
Surprisingly, when acknowledging that 7-Zip has had a long-standing presence since 1999 with well-documented, monitored, maintained, and continuously tested version releases, many IT consultations considered 7-Zip to score 9 in the Technology Readiness Level (TRL). However, 7-Zip lacks an auto-updated feature which puts the software updating effort on the users instead of the developer. This significant desired feature puts users at risk who could lack of security knowledge of ignoring the update as unnecessary. I became aware of the 7-Zip CVE instantly last November when my robust Wuzah Security Information Event Management (SIEM) tool alerted me that I had to update the 7-Zip on my computers [1]. What I like about Wazuh, it checks my computers against CVE databases (such as MITRE) identifying vulnerable computers [2].
[1] Wazuh. (n.d.). Wazuh: The Open Source Security Platform. Retrieved [date], from https://wazuh.com
[2] MITRE Corporation. (n.d.). Common vulnerabilities and exposures (CVE). Retrieved February 5, 2025, from https://cve.mitre.org
Well researched article on CVE-2025-0411. The exploitation of 7-Zip’s MoTW bypass is a serious concern and its active exploitation using Smokeloader, particularly against Ukrainian targets, is alarming. The chances of attacks are increased because of publicly available POC. The second thing that might play a critical role in increasing the attacks is the lack of an auto-update feature. While version 24.09 patches the issue, users need to manually update it. There are many users who are using 7-Zip and not updating their software regularly and unaware about this vulnerability. This pose a high risk of exploitation of this vulnerability. This incident highlights the challenges of securing the widely used software and the need of user vigilance to protect their systems.
This is a great breakdown of CVE-2025-0411 and its implications. The fact that 7-Zip fails to propagate the MoTW flag is a major concern, especially given how critical this security mechanism is for preventing malicious file execution. It’s alarming how such a small oversight can significantly lower the barrier to malware distribution. The active exploitation against Ukrainian entities reinforces how threat actors are quick to take advantage of these gaps. One thing that really stands out is 7-Zip’s lack of an auto-update feature. That alone increases the risk significantly since many users won’t even realize they’re running a vulnerable version unless they actively check.
Great analysis ! Great analysis! The way this vulnerability allows malware to run without triggering security prompts is alarming. Attackers are always quick to weaponize such flaws. Seeing it actively exploited against Ukrainian organizations proves how critical these weaknesses can be. The lack of MoTW propagation in 7-Zip is a serious flaw, and I can see how this could be leveraged in large-scale phishing or malware campaigns.
Hi Kaushik, I really enjoyed the topic you chose to discuss in this discussion post! I feel that this is an essential breakdown of the impacts on security that exist for CVE-2025-0411. Additionally, the ability to bypass MoTW is concerning as this signifies the friction reduction for malware to be executed. Apart from updating 7-zip, this incident highlights the lack of built-in auto-update mechanisms for widely used software. Without automated services, these vulnerabilities can persist longer than they should, especially for users who do not look out for updates. Although patches are crucial, organizations should also incorporate policy-based restrictions. One example that comes to mind is implementing Microsoft Defender Attack Surface Reduction rules to mitigate risks beyond just specific flaws.
A zero-day vulnerability (CVE-2025-0411) in 7-Zip allows attackers to bypass Windows’ MoTW security, enabling malware execution without warnings. Exploited in targeted attacks, primarily against Ukraine, it facilitates the spread of SmokeLoader malware. A proof-of-concept exploit has been released, increasing risk. Users should update to 7-Zip version 24.09 to fix the issue.