AI description
CVE-2025-0411 is a vulnerability found in the 7-Zip file archiver that allows attackers to bypass the Mark-of-the-Web (MOTW) security feature in Windows. This vulnerability enables attackers to create specially crafted archives. When these archives are extracted using a vulnerable version of 7-Zip, the extracted files do not inherit the MOTW attribute, which normally marks files downloaded from the internet as potentially unsafe. This bypass allows malicious code within the extracted files to execute without triggering the usual security warnings associated with MOTW. Exploiting this vulnerability requires user interaction: a user must either open a malicious file or visit a webpage that triggers the download and extraction of a malicious archive. The vulnerability was addressed in 7-Zip version 24.09, released on November 29, 2024. A proof-of-concept exploit has been publicly released as of January 27, 2025.
- Description
- 7-Zip Mark-of-the-Web Bypass Vulnerability. This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of 7-Zip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of archived files. When extracting files from a crafted archive that bears the Mark-of-the-Web, 7-Zip does not propagate the Mark-of-the-Web to the extracted files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user. Was ZDI-CAN-25456.
- Source
- zdi-disclosures@trendmicro.com
- NVD status
- Analyzed
CVSS 3.1
- Type
- Primary
- Base score
- 7
- Impact score
- 5.9
- Exploitability score
- 1
- Vector string
- CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
- Severity
- HIGH
CVSS 3.0
- Type
- Secondary
- Base score
- 7
- Impact score
- 5.9
- Exploitability score
- 1
- Vector string
- CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
- Severity
- HIGH
Data from CISA
- Vulnerability name
- 7-Zip Mark of the Web Bypass Vulnerability
- Exploit added on
- Feb 6, 2025
- Exploit action due
- Feb 27, 2025
- Required action
- Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
- zdi-disclosures@trendmicro.com
- CWE-693
- nvd@nist.gov
- NVD-CWE-noinfo
- Hype score
- Not currently trending
Actively exploited CVE : CVE-2025-0411
@transilienceai
4 Mar 2025
11 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
#CyberSecurity #Vulnerability CVE-2025-0411: 7-Zip Vulnerability Exploited in Attacks on Ukraine https://t.co/0aAaaXp4Se
@Komodosec
3 Mar 2025
65 Impressions
0 Retweets
1 Like
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-0411
@transilienceai
3 Mar 2025
10 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-0411
@transilienceai
26 Feb 2025
12 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-0411
@transilienceai
26 Feb 2025
10 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-0411
@transilienceai
25 Feb 2025
9 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-0411
@transilienceai
24 Feb 2025
7 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Explore Cool CVEs 🔹 CVE-2024-45519 🔹 CVE-2024-46538 🔹 CVE-2024-49113 🔹 CVE-2024-9264 🔹 CVE-2025-0411 🔹 CVE-2020-7660 Check it out & level up your exploit game! https://t.co/ZNLzGRXrDy #CyberSecurity #ExploitDev #RedTeam
@defhawk_specter
23 Feb 2025
83 Impressions
1 Retweet
4 Likes
2 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-0411
@transilienceai
22 Feb 2025
6 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-0411
@transilienceai
17 Feb 2025
12 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
GitHub - dhmosfunk/7-Zip-CVE-2025-0411-POC: This repository contains POC scenarios as part of CVE-2025-0411 MotW bypass. https://t.co/xEDxGdJBn2
@akaclandestine
14 Feb 2025
1843 Impressions
11 Retweets
33 Likes
19 Bookmarks
0 Replies
1 Quote
CVE-2025-0411 Zero-Day vulnerability in 7-Zip exploited in cyberespionage campaign targeting Ukraine https://t.co/cGUdvYTnrI https://t.co/1w277lZuC0
@shbertin
12 Feb 2025
20 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-0411 Zero-Day vulnerability in 7-Zip exploited in cyberespionage campaign targeting Ukraine https://t.co/bcbyqgebks https://t.co/9qO6EIagTv
@shbertin
11 Feb 2025
21 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-0411 Zero-Day vulnerability in 7-Zip exploited in cyberespionage campaign targeting Ukraine https://t.co/cyoow4nRwK https://t.co/jF2Wgm34Rm
@Giodomi1989
11 Feb 2025
39 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-0411 Zero-Day vulnerability in 7-Zip exploited in cyberespionage campaign targeting Ukraine https://t.co/fMGQDqP3QD https://t.co/jSnm6xNLcw
@SeanWilliams68
10 Feb 2025
3 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-0411
@transilienceai
10 Feb 2025
7 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
7-Zip & Mark-of-Web (MoW) CVE-2025-0411 Tienes que habilitar la propagación MoW en la GUI o a través del registro https://t.co/ZwvezEVIok https://t.co/vb9PXSTSLe
@elhackernet
10 Feb 2025
3180 Impressions
3 Retweets
37 Likes
7 Bookmarks
2 Replies
0 Quotes
CVE-2025-0411 Zero-Day vulnerability in 7-Zip exploited in cyberespionage campaign targeting Ukraine https://t.co/Sfo94QAetT https://t.co/xT8JRzJHBm
@SirajD_Official
10 Feb 2025
16 Impressions
1 Retweet
5 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-0411
@transilienceai
9 Feb 2025
20 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
CVE-2025-0411 Zero-Day vulnerability in 7-Zip exploited in cyberespionage campaign targeting Ukraine https://t.co/PAlrcHUntZ https://t.co/uUTAfrdKcJ
@scandaletti
9 Feb 2025
36 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
.@TrendMicro's @thezdi team offers an analysis of how CVE-2025-0411, a zero-day vulnerability in 7-Zip was actively exploited to target Ukrainian organizations through spear-phishing and homoglyph attacks. Learn more: https://t.co/bbT8rhFi30
@christine_fady
9 Feb 2025
22 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
研究人員近期發現,早前的 7-Zip zero-day 漏洞背後的陰謀,俄羅斯駭客組織在入侵烏克蘭期間,利用 7-Zip 壓縮工具的一個 zero-day 漏洞,成功繞過 Windows 針對下載文件的安全防護機制。該漏洞已被追蹤為 CVE-2025-0411,並於 11 月底隨 7-Zip 版本 24.09 發佈時修復。 https://t.co/XtQTHw6aUQ
@ccbea_
9 Feb 2025
44 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-0411
@transilienceai
9 Feb 2025
9 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
.@TrendMicro's @thezdi team offers an analysis of how CVE-2025-0411, a zero-day vulnerability in 7-Zip was actively exploited to target Ukrainian organizations through spear-phishing and homoglyph attacks. Learn more: https://t.co/e6vZhoyl2D
@alexandre_tovar
8 Feb 2025
13 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Stay secure by updating 7-Zip to version 24.09, a critical step to protect against CVE-2025-0411. Our experts provide a detailed breakdown of this vulnerability and its implications for your security posture. Read more:⬇️ https://t.co/2mWAMIOnlD
@TrendMicroRSRCH
8 Feb 2025
370 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🔐 Russian cybercriminals are exploiting new 7-Zip vulnerability (CVE-2025-0411) to target Ukrainian organizations. This flaw bypasses Windows' MotW protections, allowing remote code execution via malicious archives. https://t.co/tM7to9cEf9
@achi_tech
8 Feb 2025
50 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-0411
@transilienceai
7 Feb 2025
13 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
#CVE-2025-0411 7-Zip Mark of the Web #Bypass #Vulnerability https://t.co/txJYjVAGJy
@ScyScan
7 Feb 2025
68 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
米国サイバーセキュリティ・社会基盤安全保障庁(CISA)が既知の悪用された脆弱性カタログに5件を追加。 - 7-ZipのCVE-2025-0411 - Dante DiscoveryのCVE-2022-23748 - OutlookのCVE-2024-21413 - CyberoamOSのCVE-2020-29574 - Sophos XG FirewallのCVE-2020-15069 https://t.co/0sYTd2KRAC https://t.co/aOFyydVO9D
@__kokumoto
6 Feb 2025
1953 Impressions
4 Retweets
27 Likes
8 Bookmarks
1 Reply
2 Quotes
CVE-2025-0411では、脅威アクターは7-Zipのアーカイブ作成機能を用いてコンテンツを二重にアーカイブすることにより、MoTWを無効化することが可能です。実際にロシアのサイバー犯罪グループは、アーカイブ内に実行ファイルを埋め込み、そのアーカイブを別のアーカイブに埋め込むことで攻撃を行って
@8pBWKnyWbz86364
6 Feb 2025
12 Impressions
0 Retweets
3 Likes
0 Bookmarks
0 Replies
0 Quotes
7-Zip MotW Bypass CVE-2025-0411 明明就垃圾廢洞 為什麼那麼多新聞 = =
@stevenyu113228
6 Feb 2025
31 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-0411
@transilienceai
6 Feb 2025
18 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
🛑🛡️ARCHIVOS ZIP PUEDEN INFECTAR TU EMPRESA SIN SER DETECTADOS: NUEVA VULNERABILIDAD EN 7-ZIP Un fallo de seguridad en 7-Zip (CVE-2025-0411) permitió que ciberdelincuentes evadir protecciones de Windows y desplegar malware sin levantar sospechas. Aunque el ataque fue dirigido
@CycuraMX
5 Feb 2025
5687 Impressions
38 Retweets
94 Likes
36 Bookmarks
0 Replies
0 Quotes
ロシア系ハッカーが7-Zipのゼロデイ脆弱性「CVE-2025-0411」を悪用し、ウクライナの政府機関を標的にサイバー諜報活動を展開。Mark-of-the-Web(MoTW)保護を回避する手法で、SmokeLoaderマルウェアを配布。二重アーカイブとホモグリフ攻撃を利用して偽の.docファイルに誘導。 https://t.co/wCxKsPE1Fb
@01ra66it
5 Feb 2025
801 Impressions
6 Retweets
14 Likes
2 Bookmarks
0 Replies
0 Quotes
به تازگی آسیب پذیری جدیدی برای ابزار فشرده سازی و آرشیو 7-Zip از نوع Zero day با کد شناسایی CVE-2025-0411 منتشر شده است که به هکرها امکان bypass کردن مکانیزم های امنیتی و دفاعی ویندوز و بارگزاری بدافزاری با نام smokeloader را می دهد. https://t.co/Poz3aKYxT1 https://t.co/0LkQ9IXO
@AmirHossein_sec
5 Feb 2025
37 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Russian hackers exploit a 7-Zip vulnerability (CVE-2025-0411) to deploy SmokeLoader malware against Ukrainian industries, threatening sensitive data security. 🚨 #Ukraine #CyberThreats #SmokeLoader link: https://t.co/CDjFdkp3uA https://t.co/5jK1HVR2TE
@TweetThreatNews
5 Feb 2025
65 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
7-Zipの脆弱性がゼロデイ攻撃に悪用されている(CVE-2025-0411) - 合同会社ロケットボーイズ https://t.co/4GeFfqi2f5 #izumino_trend
@sec_trend
5 Feb 2025
66 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-0411
@transilienceai
5 Feb 2025
34 Impressions
0 Retweets
1 Like
0 Bookmarks
1 Reply
0 Quotes
Windows uses Mark-of-the-web (MoTW) to mark local copies of files which have come from untrusted sources. CVE-2025-0411 allows threat actors to bypass this functionality by placing an archive inside an archive with 7-Zip. CVE-2025-0411 has been observed in the wild.
@Final_456
5 Feb 2025
34 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Trend Micro's ZDI team describe how the CVE-2025-0411 vulnerability in 7-Zip was actively exploited to target Ukrainian organizations in a SmokeLoader campaign involving homoglyph attacks. https://t.co/oOYH1RKpWM https://t.co/XJslAJ8XIm
@virusbtn
5 Feb 2025
3775 Impressions
24 Retweets
60 Likes
20 Bookmarks
1 Reply
0 Quotes
#threatreport #HighCompleteness CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks | 04-02-2025 Source: https://t.co/1JhN5xuKmM Key details below ↓ 💀Threats: Homoglyph_technique, Smokeloader, Motw_bypass_technique,… https://t.co/0cVmG4iUZ
@rst_cloud
5 Feb 2025
42 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨Threat Campaign Alert - Russian Cybercriminals Exploit 7-Zip Zero-Day (CVE-2025-0411) to Deploy SmokeLoader in Attacks on Ukraine🚨 Summary: A zero-day vulnerability (CVE-2025-0411) in 7-Zip was exploited by Russian cybercrime groups to bypass Windows Mark-of-the-Web… https://
@CyberxtronTech
5 Feb 2025
82 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🔒 CVE-2025-0411 - Vulnerabilidad en 7-Zip que permite evadir Mark-of-the-Web 🔒 Investigadores de Trend Micro Zero Day Initiative han identificado una vulnerabilidad en 7-Zip que permite a atacantes evadir la protección "Mark-of-the-Web" (MotW) en Windows. https://t.co/wDzTZnD4
@BanCERT_gt
5 Feb 2025
31 Impressions
1 Retweet
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-0411: #Ukrainian Organizations Targeted in #Zero_Day Campaign and #Homoglyph_Attacks https://t.co/JJkEVC2hll https://t.co/K0MrlOJFc3
@omvapt
4 Feb 2025
24 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🔐 Cibercriminales rusos están explotando una nueva vulnerabilidad de 7-Zip (CVE-2025-0411) para atacar a organizaciones ucranianas Aprovechan una vulnerabilidad de 7-Zip para eludir las protecciones de MotW de Windows CVE-2025-0411 https://t.co/myQV4zkumk https://t.co/6odzsYr1
@elhackernet
4 Feb 2025
5817 Impressions
35 Retweets
102 Likes
32 Bookmarks
0 Replies
1 Quote
🐍 | ÚLTIMO MOMENTO: Ciberdelincuentes rusos explotan una vulnerabilidad en 7-Zip (CVE-2025-0411) para evadir protecciones de Windows y distribuir SmokeLoader vía phishing, atacando a organizaciones en Ucrania.
@citarafy
4 Feb 2025
43 Impressions
0 Retweets
1 Like
1 Bookmark
0 Replies
0 Quotes
We identified a new #ZeroDay vulnerability exploiting 7-Zip (CVE-2025-0411) being actively exploited in-the-wild on September 25th, 2024. Russian groups utilized this vulnerability, deploying SmokeLoader for espionage operations targeting #Ukraine during the ongoing… https://t.co
@gothburz
4 Feb 2025
29387 Impressions
95 Retweets
348 Likes
164 Bookmarks
7 Replies
5 Quotes
A zero-day vulnerability in 7-Zip, CVE-2025-0411, is being exploited by Russian hackers to bypass the MotW feature in attacks against Ukraine. Update your software to stay secure. 🚨 #7Zip #Ukraine #Malware link: https://t.co/fxI95yO9PU https://t.co/vqnPO4UvsK
@TweetThreatNews
4 Feb 2025
34 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
A vulnerability in 7-Zip (CVE-2025-0411) is being exploited to deliver SmokeLoader malware, targeting Ukrainian organizations. Attackers bypass security by manipulating file extensions. #Ukraine #CyberThreat #7Zip link: https://t.co/HZI1tfHLDE https://t.co/0r8PBjmLmP
@TweetThreatNews
4 Feb 2025
32 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
1/ Вразливість нульового дня в 7-Zip (CVE-2025-0411) була використана російськими кіберзлочинцями для атак на українські організації за допомогою SmokeLoader.
@arunninghacker
4 Feb 2025
8838 Impressions
14 Retweets
88 Likes
21 Bookmarks
7 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:7-zip:7-zip:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "AAFF445C-96F1-4328-A34E-A8C392B34BF3",
"versionEndExcluding": "24.09"
}
],
"operator": "OR"
}
]
}
]