A critical vulnerability in the popular 7-Zip file archiver, identified as CVE-2025-0411, has been actively exploited in the wild, primarily targeting Ukrainian entities[1]. This zero-day flaw allows attackers to bypass Windows’ Mark of the Web (MoTW) security feature, enabling the execution of malicious code without user warnings. This poses a significant threat, as it lowers the barrier for malware distribution and can lead to widespread compromise.

Vulnerability: A MoTW Bypass

The core issue lies in how 7-Zip’s handles archived files. Windows uses the MoTW to tag files downloaded from the internet. This tag is crucial for security, as it allows Windows to display warnings before executing potentially dangerous files. CVE-2025-0411[2,3] arises because 7-Zip fails to propagate the MoTW to files extracted from specially crafted archives. An attacker can create a malicious archive, and when a user extracts its contents using a vulnerable version of 7-Zip, the extracted files lose their MoTW. This allows malicious code to run without triggering the usual Windows security prompts, effectively silencing the built-in warning system.

MoTW warnings in Windows

Technical Details: Severity and Impact

With an assigned a CVSS score of 7.0[3], indicating a significant level of severity. The impact is substantial, as it allows for arbitrary code execution. This means an attacker can run any program they want on the victim’s computer with the same privileges as the user running 7-Zip. The consequences can be dire, ranging from malware installation and data theft to complete system takeover.

Exploitation: Targeting Ukraine

Security researchers at Trend Micro have uncovered evidence of this vulnerability being actively exploited in targeted attacks, primarily aimed at Ukrainian government organizations and private entities[1].

The attacks have been attributed to Russian hacking groups and have been used to distribute SmokeLoader malware. SmokeLoader is a known malware dropper, meaning its primary function is to download and install other malicious payloads onto compromised systems. The MoTW bypass provided by CVE-2025-0411 significantly facilitates the spread of SmokeLoader and any subsequent malware it installs.

Proof-of-Concept and Increased Risk

Compounding the problem, a proof-of-concept (PoC) exploit for CVE-2025-0411 has been publicly released[4]. This PoC demonstrates how an attacker can craft a malicious archive that, when extracted with a vulnerable version of 7-Zip, results in arbitrary code execution without MoTW warnings. The availability of a PoC significantly lowers the barrier to entry for attackers, making widespread exploitation much more likely. Even less sophisticated attackers can now leverage the PoC to create their own malicious archives.

Mitigation: Update

The 7-Zip development team has addressed this vulnerability in version 24.09, released on November 30, 2024[1]. This update ensures that the MoTW is correctly propagated to extracted files, restoring Windows’ security prompts.[5] However, 7-Zip does not have an automatic update feature. Users must manually download and install the latest version from the official 7-Zip website (www.7-zip.org).

Recommendations for Protection:

  • Update 7-Zip: Important to ensure the running version 24.09 or later.
  • Verify File Sources: Need to exercise extreme caution when handling files from untrusted sources, especially those received via email or downloaded from the internet. Be wary of unexpected attachments or downloads.
  • Security Software: It’s important to ensure defender is up to date. While they might not catch every instance, they provide an additional layer of protection.
  • Monitor for Suspicious Activity: Important to be vigilant for any unusual behavior on the system, such as unexpected pop-ups, slow performance, or unfamiliar programs running.

Conclusion:

CVE-2025-0411 is a serious vulnerability that has been actively exploited in targeted attacks. The lack of an auto-update feature in 7-Zip, combined with the public availability of a PoC, increases the risk of widespread exploitation. Updating to version 24.09 is paramount. Users should also practice safe file handling habits and remain vigilant for suspicious activity. This incident serves as a reminder of the importance of staying updated with security patches and practicing safe computing habits.

References

  1. Author: Bill Toulas, Link: https://www.bleepingcomputer.com/news/security/7-zip-motw-bypass-exploited-in-zero-day-attacks-against-ukraine/
  2. https://www.kaspersky.com/blog/cve-2025-0411-motw-subvert/52907/
  3. Author: Daryna Antoniuk , Link: https://therecord.media/smokeloader-malware-russia-ukraine-financial-institutions
  4. https://digital.nhs.uk/cyber-alerts/2025/cc-4610
  5. https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-005
  6. Image Source: https://www.bleepstatic.com/images/news/software/7/7-zip/motw/windows-motw-download-warning.jpg

Leave a comment

Powered by UCalgary

The views, information, or opinions expressed on this site are solely those of the individual(s) involved and do not necessarily represent the position of the University of Calgary as an institution.

Website Terms & Conditions | Privacy Policy | Copyright © 2024