CVE-2025-0411

Confirmed PUBLISHED

7-Zip Mark-of-the-Web Bypass Vulnerability

7-Zip · 7-Zip
Exploited in the wild PoC available

Recommended Action

Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.

Confidence
Confirmed
Exploitation Status
Exploited in the wild
Observed in Sensors
No
Attempts (30d)
Unique Attacker IPs
CISA KEV
In CISA KEV
CVSS / EPSS
7.0 High

At a Glance

7-Zip Mark-of-the-Web Bypass Vulnerability. This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of 7-Zip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of archived files. When extracting files from a crafted archive that bears the Mark-of-the-Web, 7-Zip does not propagate the Mark-of-the-Web to the extracted files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user. Was ZDI-CAN-25456.

nessus_scanner cisa
CVE Published
Jan 25, 2025
Exploitation Reported
Feb 06, 2025
CVSS
7.0 High
EPSS
Unauthenticated

Affected Versions

Vendor Product Version Status
7-Zip
7-Zip

24.08 (x64)

Affected

CVE References

  • ZDI-25-045 zerodayinitiative.com · CVE Record https://www.zerodayinitiative.com/advisories/ZDI-25-045/

Recommended Actions

  • Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
  • Check enrichment artifacts for scanner coverage and available PoCs before rolling remediation validation.
  • Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.