CVE-2025-0411 | 7-Zip | PMF
| Vulnerability | CVE-2025-0411 |
|---|---|
| Type | Protection Mechanism Failure (CWE-693) |
| Description | A vulnerability in 7-Zip (prior to v24.09) allows attackers to bypass Windows Mark-of-the-Web (MoTW) security by nesting archives. Extracted files are treated as safe by Windows even if originally downloaded from the internet. |
| Affected Systems | Windows systems running 7-Zip versions before 24.09 |
| Attack Vector | Local (via user interaction), through opening specially crafted nested archive files (e.g., .zip inside .7z) |
| Exploit Mechanism | The attacker creates a nested archive where MoTW is stripped during extraction. A user opening the outer archive triggers extraction of the inner file without MoTW, bypassing Windows security prompts. |
| Impact of the Bug | Arbitrary code execution without triggering Windows’ SmartScreen or MoTW warnings, potentially leading to malware execution or further compromise. |
| Detection Techniques | File system monitoring for nested archive extraction behavior, scanning archives for nested structure anomalies, use of EDR/XDR solutions to log archive interactions |
| How to Detect if Exploited | Review of system logs for archive extractions, file creation events lacking MoTW ADS (Zone.Identifier), analysis of user download activity and security prompt suppression |
| Mitigation Steps | - Upgrade to 7-Zip version 24.09 or later - Educate users not to open untrusted archive files - Enable group policies to restrict unsigned script execution |
| Workaround if Available | Use alternative archiving tools that respect MoTW inheritance; manually scan files extracted from archives for missing Zone.Identifier ADS |
| References | - Zero Day Initiative ZDI-25-045 - 7-Zip v24.09 Release Notes - Trend Micro Threat Report - 7-Zip-CVE-2025-0411-POC |