7-Zip MOTW Bypass Enables Remote Code Execution
CVE-2025-0411 Published on January 25, 2025

7-Zip Mark-of-the-Web Bypass Vulnerability
7-Zip Mark-of-the-Web Bypass Vulnerability. This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of 7-Zip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of archived files. When extracting files from a crafted archive that bears the Mark-of-the-Web, 7-Zip does not propagate the Mark-of-the-Web to the extracted files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user. Was ZDI-CAN-25456.

NVD

Known Exploited Vulnerability

This 7-Zip Mark of the Web Bypass Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. 7-Zip contains a protection mechanism failure vulnerability that allows remote attackers to bypass the Mark-of-the-Web security feature to execute arbitrary code in the context of the current user.

The following remediation steps are recommended / required by February 27, 2025: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Weakness Type

Protection Mechanism Failure

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. This weakness covers three distinct situations. A "missing" protection mechanism occurs when the application does not define any mechanism against a certain class of attack. An "insufficient" protection mechanism might provide some defenses - for example, against the most common attacks - but it does not protect against everything that is intended. Finally, an "ignored" mechanism occurs when a mechanism is available and in active use within the product, but the developer has not applied it in some code path.


Products Associated with CVE-2025-0411

stack.watch emails you whenever new vulnerabilities are published in 7Zip 7 Zip or Oracle. Just hit a watch button to start following.

7Zip 7 Zip
 
Oracle
 

Affected Versions

7-Zip Version 24.08 (x64) is affected by CVE-2025-0411

Exploit Probability

EPSS
52.41%
Percentile
97.92%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.