Summary
CVE20250411 is a highseverity vulnerability in 7Zip where files extracted from crafted archives fail to inherit the Windows MarkoftheWeb (MoTW), allowing attackers to bypass security prompts and execute code with user privileges. Affecting versions prior to 24.09, it has been actively exploited in the wild, with public proofofconcepts available, and is listed in the CISA Known Exploited Vulnerabilities catalog. Updating to 7Zip 24.09 or later mitigates the risk.
Urgent Actions Required
- Update 7Zip to version 24.09 or later to ensure extracted files correctly receive the Windows MarkoftheWeb.
- Remove or isolate outdated 7Zip installations that are still vulnerable.
- Watch users opening unknown or suspicious archive files, since attacks need user action.
Which Systems Are Vulnerable to CVE-2025-0411?
Technical Overview
- Vulnerability Type: Missing Windows Mark-of-the-Web (MoTW) on extracted files
- Affected Software/Versions:
7-Zip versions prior to 24.09 - CVSS Score: 7.0
- CVSS Vector: v3.1
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
- Patch Availability: Yes, available
7-Zip - Browse /7-Zip/24.09 at SourceForge.net
How Does the CVE-2025-0411 Exploit Work?
The attack typically follows these steps:
What Causes CVE-2025-0411?
Vulnerability Root Cause:
The flaw comes from how 7Zip handles archives with a MarkoftheWeb flag. When a crafted archive is extracted, 7Zip does not pass the MoTW flag to the extracted files. Because the extracted files lose this security marker, Windows cannot apply its usual protections. This lapse in MoTW propagation creates an opportunity for attackers to deliver files that appear safe but can run without the restrictions normally placed on content from untrusted sources.
How Can You Mitigate CVE-2025-0411?
If immediate patching is delayed or not possible:
- Only open archives from trusted sources.
- Scan or sandbox suspicious files.
- Keep antivirus and endpoint protection updated.
- Warn users to avoid unknown files.
Which Assets and Systems Are at Risk?
Asset Types Affected:
- Systems using 7-Zip versions prior to 24.09 — since these versions fail to apply the Mark-of-the-Web to extracted files.
- Endpoints where users handle internet-downloaded archives — because extracted files may appear trusted even when they are not.
- Environments relying on MoTW-based restrictions (such as Windows security prompts or applications like MS Office that limit macro execution when MoTW is present).
Business-Critical Systems at Risk:
- User workstations in organizations — attackers can deliver malicious archives that bypass expected warnings.
- Systems where files from the internet are routinely opened — increasing chances of users unintentionally executing harmful content.
- Workflows depending on MoTW for safety controls — as missing MoTW may lead to reduced warnings and weakened protection.
Exposure Level:
- Any device running outdated 7-Zip (pre-24.09) — since the vulnerability is actively exploited in the wild.
- Machines used to open or extract files from untrusted sources — especially those without centralized patching or automated software updates.
- Environments without strong user-awareness controls — as exploitation requires user interaction such as opening a crafted archive.
Will Patching CVE-2025-0411 Cause Downtime?
Patch application impact: Updating to 7-Zip 24.09 generally causes minimal disruption, as the fix only requires installing the updated version. Most environments can apply the update quickly with little or no downtime.
How Can You Detect CVE-2025-0411 Exploitation?
Alerting Strategy:
- Priority: High
- Trigger alerts when:
Files extracted via 7Zip lack MoTW despite originating from untrusted or internet sources.
Remediation & Response
Remediation Timeline:
- Immediate (0–2 hrs): Update all 7Zip installations to version 24.09 or later.
- Within 24 hrs: Verify that no vulnerable versions remain on endpoints, servers, or CI/CD environments.
Incident Response Considerations:
- Isolate affected systems if untrusted archives have been opened to prevent further arbitrary code execution.
- Review whether any malicious archives were extracted prior to patching.
- Ensure all systems using 7Zip are updated and that users are aware of the risks of opening files from untrusted sources.
Compliance & Governance Notes
- Audit Trail Requirement:
- Recording when 7Zip 24.09 (or later) is deployed across systems.
- Keeping basic update logs such as:
- Date and time of installation
- Machines updated
- Responsible personnel
- Policy Alignment:
Ensure internal software update or vulnerability management processes include updating 7Zip to version 24.09 to prevent exploitation from malicious archives.
Where Can I Find More Information on CVE-2025-0411?
CVSS Breakdown Table
| Metric | Value | Description |
|---|---|---|
| Base Score | 7.0 | The vector indicates highimpact consequences across confidentiality, integrity, and availability |
| Attack Vector | Local | Exploitation requires local system access; cannot be triggered over the network |
| Attack Complexity | High | The attack requires specific conditions or preparation, making exploitation more difficult |
| Privileges Required | None | No elevated permissions are needed to trigger the vulnerability |
| User Interaction | Required | The vulnerable action depends on the user, such as opening or interacting with a crafted file |
| Scope | UnChanged | The impact is confined to the affected component and does not extend to other system components |
| Confidentiality Impact | High | Successful exploitation can expose sensitive information |
| Integrity Impact | High | The flaw can allow unauthorized modification of data |
| Availability Impact | High | Exploitation can significantly disrupt or damage system availability |
