CVE-2025-0411

Published Jan 25, 2025

Last updated a month ago

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2025-0411 is a vulnerability found in the 7-Zip file archiver that allows attackers to bypass the Mark-of-the-Web (MOTW) security feature in Windows. This vulnerability enables attackers to create specially crafted archives. When these archives are extracted using a vulnerable version of 7-Zip, the extracted files do not inherit the MOTW attribute, which normally marks files downloaded from the internet as potentially unsafe. This bypass allows malicious code within the extracted files to execute without triggering the usual security warnings associated with MOTW. Exploiting this vulnerability requires user interaction: a user must either open a malicious file or visit a webpage that triggers the download and extraction of a malicious archive. The vulnerability was addressed in 7-Zip version 24.09, released on November 29, 2024. A proof-of-concept exploit has been publicly released as of January 27, 2025.

Description
7-Zip Mark-of-the-Web Bypass Vulnerability. This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of 7-Zip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of archived files. When extracting files from a crafted archive that bears the Mark-of-the-Web, 7-Zip does not propagate the Mark-of-the-Web to the extracted files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user. Was ZDI-CAN-25456.
Source
zdi-disclosures@trendmicro.com
NVD status
Analyzed

Risk scores

CVSS 3.1

Type
Primary
Base score
7
Impact score
5.9
Exploitability score
1
Vector string
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity
HIGH

CVSS 3.0

Type
Secondary
Base score
7
Impact score
5.9
Exploitability score
1
Vector string
CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity
HIGH

Known exploits

Data from CISA

Vulnerability name
7-Zip Mark of the Web Bypass Vulnerability
Exploit added on
Feb 6, 2025
Exploit action due
Feb 27, 2025
Required action
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Weaknesses

zdi-disclosures@trendmicro.com
CWE-693
nvd@nist.gov
NVD-CWE-noinfo

Social media

Hype score
Not currently trending
  1. Actively exploited CVE : CVE-2025-0411

    @transilienceai

    4 Mar 2025

    11 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  2. #CyberSecurity #Vulnerability CVE-2025-0411: 7-Zip Vulnerability Exploited in Attacks on Ukraine https://t.co/0aAaaXp4Se

    @Komodosec

    3 Mar 2025

    65 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  3. Actively exploited CVE : CVE-2025-0411

    @transilienceai

    3 Mar 2025

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  4. Actively exploited CVE : CVE-2025-0411

    @transilienceai

    26 Feb 2025

    12 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  5. Actively exploited CVE : CVE-2025-0411

    @transilienceai

    26 Feb 2025

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  6. Actively exploited CVE : CVE-2025-0411

    @transilienceai

    25 Feb 2025

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  7. Actively exploited CVE : CVE-2025-0411

    @transilienceai

    24 Feb 2025

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  8. Explore Cool CVEs 🔹 CVE-2024-45519 🔹 CVE-2024-46538 🔹 CVE-2024-49113 🔹 CVE-2024-9264 🔹 CVE-2025-0411 🔹 CVE-2020-7660 Check it out & level up your exploit game! https://t.co/ZNLzGRXrDy #CyberSecurity #ExploitDev #RedTeam

    @defhawk_specter

    23 Feb 2025

    83 Impressions

    1 Retweet

    4 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  9. Actively exploited CVE : CVE-2025-0411

    @transilienceai

    22 Feb 2025

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  10. Actively exploited CVE : CVE-2025-0411

    @transilienceai

    17 Feb 2025

    12 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  11. GitHub - dhmosfunk/7-Zip-CVE-2025-0411-POC: This repository contains POC scenarios as part of CVE-2025-0411 MotW bypass. https://t.co/xEDxGdJBn2

    @akaclandestine

    14 Feb 2025

    1843 Impressions

    11 Retweets

    33 Likes

    19 Bookmarks

    0 Replies

    1 Quote

  12. CVE-2025-0411 Zero-Day vulnerability in 7-Zip exploited in cyberespionage campaign targeting Ukraine https://t.co/cGUdvYTnrI https://t.co/1w277lZuC0

    @shbertin

    12 Feb 2025

    20 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. CVE-2025-0411 Zero-Day vulnerability in 7-Zip exploited in cyberespionage campaign targeting Ukraine https://t.co/bcbyqgebks https://t.co/9qO6EIagTv

    @shbertin

    11 Feb 2025

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. CVE-2025-0411 Zero-Day vulnerability in 7-Zip exploited in cyberespionage campaign targeting Ukraine https://t.co/cyoow4nRwK https://t.co/jF2Wgm34Rm

    @Giodomi1989

    11 Feb 2025

    39 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. CVE-2025-0411 Zero-Day vulnerability in 7-Zip exploited in cyberespionage campaign targeting Ukraine https://t.co/fMGQDqP3QD https://t.co/jSnm6xNLcw

    @SeanWilliams68

    10 Feb 2025

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  16. Actively exploited CVE : CVE-2025-0411

    @transilienceai

    10 Feb 2025

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  17. 7-Zip & Mark-of-Web (MoW) CVE-2025-0411 Tienes que habilitar la propagación MoW en la GUI o a través del registro https://t.co/ZwvezEVIok https://t.co/vb9PXSTSLe

    @elhackernet

    10 Feb 2025

    3180 Impressions

    3 Retweets

    37 Likes

    7 Bookmarks

    2 Replies

    0 Quotes

  18. CVE-2025-0411 Zero-Day vulnerability in 7-Zip exploited in cyberespionage campaign targeting Ukraine https://t.co/Sfo94QAetT https://t.co/xT8JRzJHBm

    @SirajD_Official

    10 Feb 2025

    16 Impressions

    1 Retweet

    5 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  19. Actively exploited CVE : CVE-2025-0411

    @transilienceai

    9 Feb 2025

    20 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  20. CVE-2025-0411 Zero-Day vulnerability in 7-Zip exploited in cyberespionage campaign targeting Ukraine https://t.co/PAlrcHUntZ https://t.co/uUTAfrdKcJ

    @scandaletti

    9 Feb 2025

    36 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  21. .@TrendMicro's @thezdi team offers an analysis of how CVE-2025-0411, a zero-day vulnerability in 7-Zip was actively exploited to target Ukrainian organizations through spear-phishing and homoglyph attacks. Learn more: https://t.co/bbT8rhFi30

    @christine_fady

    9 Feb 2025

    22 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  22. 研究人員近期發現,早前的 7-Zip zero-day 漏洞背後的陰謀,俄羅斯駭客組織在入侵烏克蘭期間,利用 7-Zip 壓縮工具的一個 zero-day 漏洞,成功繞過 Windows 針對下載文件的安全防護機制。該漏洞已被追蹤為 CVE-2025-0411,並於 11 月底隨 7-Zip 版本 24.09 發佈時修復。 https://t.co/XtQTHw6aUQ

    @ccbea_

    9 Feb 2025

    44 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  23. Actively exploited CVE : CVE-2025-0411

    @transilienceai

    9 Feb 2025

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  24. .@TrendMicro's @thezdi team offers an analysis of how CVE-2025-0411, a zero-day vulnerability in 7-Zip was actively exploited to target Ukrainian organizations through spear-phishing and homoglyph attacks. Learn more: https://t.co/e6vZhoyl2D

    @alexandre_tovar

    8 Feb 2025

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  25. Stay secure by updating 7-Zip to version 24.09, a critical step to protect against CVE-2025-0411. Our experts provide a detailed breakdown of this vulnerability and its implications for your security posture. Read more:⬇️ https://t.co/2mWAMIOnlD

    @TrendMicroRSRCH

    8 Feb 2025

    370 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  26. 🔐 Russian cybercriminals are exploiting new 7-Zip vulnerability (CVE-2025-0411) to target Ukrainian organizations. This flaw bypasses Windows' MotW protections, allowing remote code execution via malicious archives. https://t.co/tM7to9cEf9

    @achi_tech

    8 Feb 2025

    50 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  27. Actively exploited CVE : CVE-2025-0411

    @transilienceai

    7 Feb 2025

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  28. #CVE-2025-0411 7-Zip Mark of the Web #Bypass #Vulnerability https://t.co/txJYjVAGJy

    @ScyScan

    7 Feb 2025

    68 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  29. 米国サイバーセキュリティ・社会基盤安全保障庁(CISA)が既知の悪用された脆弱性カタログに5件を追加。 - 7-ZipのCVE-2025-0411 - Dante DiscoveryのCVE-2022-23748 - OutlookのCVE-2024-21413 - CyberoamOSのCVE-2020-29574 - Sophos XG FirewallのCVE-2020-15069 https://t.co/0sYTd2KRAC https://t.co/aOFyydVO9D

    @__kokumoto

    6 Feb 2025

    1953 Impressions

    4 Retweets

    27 Likes

    8 Bookmarks

    1 Reply

    2 Quotes

  30. CVE-2025-0411では、脅威アクターは7-Zipのアーカイブ作成機能を用いてコンテンツを二重にアーカイブすることにより、MoTWを無効化することが可能です。実際にロシアのサイバー犯罪グループは、アーカイブ内に実行ファイルを埋め込み、そのアーカイブを別のアーカイブに埋め込むことで攻撃を行って

    @8pBWKnyWbz86364

    6 Feb 2025

    12 Impressions

    0 Retweets

    3 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  31. 7-Zip MotW Bypass CVE-2025-0411 明明就垃圾廢洞 為什麼那麼多新聞 = =

    @stevenyu113228

    6 Feb 2025

    31 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  32. Actively exploited CVE : CVE-2025-0411

    @transilienceai

    6 Feb 2025

    18 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  33. 🛑🛡️ARCHIVOS ZIP PUEDEN INFECTAR TU EMPRESA SIN SER DETECTADOS: NUEVA VULNERABILIDAD EN 7-ZIP Un fallo de seguridad en 7-Zip (CVE-2025-0411) permitió que ciberdelincuentes evadir protecciones de Windows y desplegar malware sin levantar sospechas. Aunque el ataque fue dirigido

    @CycuraMX

    5 Feb 2025

    5687 Impressions

    38 Retweets

    94 Likes

    36 Bookmarks

    0 Replies

    0 Quotes

  34. ロシア系ハッカーが7-Zipのゼロデイ脆弱性「CVE-2025-0411」を悪用し、ウクライナの政府機関を標的にサイバー諜報活動を展開。Mark-of-the-Web(MoTW)保護を回避する手法で、SmokeLoaderマルウェアを配布。二重アーカイブとホモグリフ攻撃を利用して偽の.docファイルに誘導。 https://t.co/wCxKsPE1Fb

    @01ra66it

    5 Feb 2025

    801 Impressions

    6 Retweets

    14 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  35. به تازگی آسیب پذیری جدیدی برای ابزار فشرده سازی و آرشیو 7-Zip از نوع Zero day با کد شناسایی CVE-2025-0411 منتشر شده است که به هکرها امکان bypass کردن مکانیزم های امنیتی و دفاعی ویندوز و بارگزاری بدافزاری با نام smokeloader را می دهد. https://t.co/Poz3aKYxT1 https://t.co/0LkQ9IXO

    @AmirHossein_sec

    5 Feb 2025

    37 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  36. Russian hackers exploit a 7-Zip vulnerability (CVE-2025-0411) to deploy SmokeLoader malware against Ukrainian industries, threatening sensitive data security. 🚨 #Ukraine #CyberThreats #SmokeLoader link: https://t.co/CDjFdkp3uA https://t.co/5jK1HVR2TE

    @TweetThreatNews

    5 Feb 2025

    65 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  37. 7-Zipの脆弱性がゼロデイ攻撃に悪用されている(CVE-2025-0411) - 合同会社ロケットボーイズ https://t.co/4GeFfqi2f5 #izumino_trend

    @sec_trend

    5 Feb 2025

    66 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  38. Actively exploited CVE : CVE-2025-0411

    @transilienceai

    5 Feb 2025

    34 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  39. Windows uses Mark-of-the-web (MoTW) to mark local copies of files which have come from untrusted sources. CVE-2025-0411 allows threat actors to bypass this functionality by placing an archive inside an archive with 7-Zip. CVE-2025-0411 has been observed in the wild.

    @Final_456

    5 Feb 2025

    34 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  40. Trend Micro's ZDI team describe how the CVE-2025-0411 vulnerability in 7-Zip was actively exploited to target Ukrainian organizations in a SmokeLoader campaign involving homoglyph attacks. https://t.co/oOYH1RKpWM https://t.co/XJslAJ8XIm

    @virusbtn

    5 Feb 2025

    3775 Impressions

    24 Retweets

    60 Likes

    20 Bookmarks

    1 Reply

    0 Quotes

  41. #threatreport #HighCompleteness CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks | 04-02-2025 Source: https://t.co/1JhN5xuKmM Key details below ↓ 💀Threats: Homoglyph_technique, Smokeloader, Motw_bypass_technique,… https://t.co/0cVmG4iUZ

    @rst_cloud

    5 Feb 2025

    42 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  42. 🚨Threat Campaign Alert - Russian Cybercriminals Exploit 7-Zip Zero-Day (CVE-2025-0411) to Deploy SmokeLoader in Attacks on Ukraine🚨 Summary: A zero-day vulnerability (CVE-2025-0411) in 7-Zip was exploited by Russian cybercrime groups to bypass Windows Mark-of-the-Web… https://

    @CyberxtronTech

    5 Feb 2025

    82 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  43. 🔒 CVE-2025-0411 - Vulnerabilidad en 7-Zip que permite evadir Mark-of-the-Web 🔒 Investigadores de Trend Micro Zero Day Initiative han identificado una vulnerabilidad en 7-Zip que permite a atacantes evadir la protección "Mark-of-the-Web" (MotW) en Windows. https://t.co/wDzTZnD4

    @BanCERT_gt

    5 Feb 2025

    31 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  44. CVE-2025-0411: #Ukrainian Organizations Targeted in #Zero_Day Campaign and #Homoglyph_Attacks https://t.co/JJkEVC2hll https://t.co/K0MrlOJFc3

    @omvapt

    4 Feb 2025

    24 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  45. 🔐 Cibercriminales rusos están explotando una nueva vulnerabilidad de 7-Zip (CVE-2025-0411) para atacar a organizaciones ucranianas Aprovechan una vulnerabilidad de 7-Zip para eludir las protecciones de MotW de Windows CVE-2025-0411 https://t.co/myQV4zkumk https://t.co/6odzsYr1

    @elhackernet

    4 Feb 2025

    5817 Impressions

    35 Retweets

    102 Likes

    32 Bookmarks

    0 Replies

    1 Quote

  46. 🐍 | ÚLTIMO MOMENTO: Ciberdelincuentes rusos explotan una vulnerabilidad en 7-Zip (CVE-2025-0411) para evadir protecciones de Windows y distribuir SmokeLoader vía phishing, atacando a organizaciones en Ucrania.

    @citarafy

    4 Feb 2025

    43 Impressions

    0 Retweets

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

  47. We identified a new #ZeroDay vulnerability exploiting 7-Zip (CVE-2025-0411) being actively exploited in-the-wild on September 25th, 2024. Russian groups utilized this vulnerability, deploying SmokeLoader for espionage operations targeting #Ukraine during the ongoing… https://t.co

    @gothburz

    4 Feb 2025

    29387 Impressions

    95 Retweets

    348 Likes

    164 Bookmarks

    7 Replies

    5 Quotes

  48. A zero-day vulnerability in 7-Zip, CVE-2025-0411, is being exploited by Russian hackers to bypass the MotW feature in attacks against Ukraine. Update your software to stay secure. 🚨 #7Zip #Ukraine #Malware link: https://t.co/fxI95yO9PU https://t.co/vqnPO4UvsK

    @TweetThreatNews

    4 Feb 2025

    34 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  49. A vulnerability in 7-Zip (CVE-2025-0411) is being exploited to deliver SmokeLoader malware, targeting Ukrainian organizations. Attackers bypass security by manipulating file extensions. #Ukraine #CyberThreat #7Zip link: https://t.co/HZI1tfHLDE https://t.co/0r8PBjmLmP

    @TweetThreatNews

    4 Feb 2025

    32 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  50. 1/ Вразливість нульового дня в 7-Zip (CVE-2025-0411) була використана російськими кіберзлочинцями для атак на українські організації за допомогою SmokeLoader.

    @arunninghacker

    4 Feb 2025

    8838 Impressions

    14 Retweets

    88 Likes

    21 Bookmarks

    7 Replies

    0 Quotes

Configurations