Zero-day vulnerability in 7-Zip

Security features bypass
CVE-2025-0411

2024-09-25

2024-11-30

This vulnerability was used to target both the Ukrainian government and other Ukrainian organizations in a SmokeLoader campaign that was likely deployed by Russian cybercrime groups.

Known malware:

SmokeLoader

Vulnerability details

Advisory: SB2025012003 - Mark-of-the-Web bypass in 7-Zip

Vulnerable component: 7-Zip

CVE-ID: CVE-2025-0411

CVSSv3 score: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N/E:A/RL:O/RC:C

CWE-ID: CWE-254 - Security Features

Description:

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to application ignores the Mark-of-the-Web identifier when extracting files from an archive. A remote attacker can trick the victim into executing files extracted by the application as no additional security warning occurs.

Note, the vulnerability is being actively exploited in the wild.

External links:

https://www.trendmicro.com/en_us/research/25/a/cve-2025-0411-ukrainian-organizations-targeted.html

About zero-day vulnerabilities

Zero-day vulnerability is an undisclosed vulnerability in software that hackers can exploit to compromise computer programs, gain unauthorized access to sensitive data, penetrate networks, etc. We consider vulnerability a zero-day when there is no solution provided from software vendor and the vulnerability is being actively exploited by malicious actors.

Zero-day candidate is a potential zero-day vulnerability in software which might have been used in targeted attacks, however there is no evidence to support this suggestion.

Zero-day vulnerability in 7-Zip

Security features bypass CVE-2025-0411

About zero-day vulnerabilities

Security features bypass
CVE-2025-0411