Researchers mentioned they not too long ago found a zero-day vulnerability within the 7-Zip archiving utility that was actively exploited as a part of Russia’s ongoing invasion of Ukraine.
The vulnerability allowed a Russian cybercrime group to override a Home windows safety designed to restrict the execution of recordsdata downloaded from the Web. The protection is usually often known as MotW, quick for Mark of the Internet. It really works by inserting a “Zone.Identifier” tag on all recordsdata downloaded from the Web or from a networked share. This tag, a kind of NTFS Alternate Information Stream and within the type of a ZoneID=3, topics the file to further scrutiny from Home windows Defender SmartScreen and restrictions on how or when it may be executed.
There’s an archive in my archive
The 7-Zip vulnerability allowed the Russian cybercrime group to bypass these protections. Exploits labored by embedding an executable file inside an archive after which embedding the archive into one other archive. Whereas the outer archive carried the MotW tag, the inside one didn’t. The vulnerability, tracked as CVE-2025-0411, was fastened with the discharge of model 24.09 in late November.
Tag attributes of outer archive exhibiting the MotW.
Credit score:
Development Micro
Attributes of inner-archive exhibiting MotW tag is lacking.
Credit score:
Development Micro
“The foundation reason behind CVE-2025-0411 is that previous to model 24.09, 7-Zip didn’t correctly propagate MoTW protections to the content material of double-encapsulated archives,” wrote Peter Girnus, a researcher at Development Micro, the safety agency that found the vulnerability. “This enables risk actors to craft archives containing malicious scripts or executables that won’t obtain MoTW protections, leaving Home windows customers weak to assaults.”
Researchers mentioned they not too long ago found a zero-day vulnerability within the 7-Zip archiving utility that was actively exploited as a part of Russia’s ongoing invasion of Ukraine.
The vulnerability allowed a Russian cybercrime group to override a Home windows safety designed to restrict the execution of recordsdata downloaded from the Web. The protection is usually often known as MotW, quick for Mark of the Internet. It really works by inserting a “Zone.Identifier” tag on all recordsdata downloaded from the Web or from a networked share. This tag, a kind of NTFS Alternate Information Stream and within the type of a ZoneID=3, topics the file to further scrutiny from Home windows Defender SmartScreen and restrictions on how or when it may be executed.
There’s an archive in my archive
The 7-Zip vulnerability allowed the Russian cybercrime group to bypass these protections. Exploits labored by embedding an executable file inside an archive after which embedding the archive into one other archive. Whereas the outer archive carried the MotW tag, the inside one didn’t. The vulnerability, tracked as CVE-2025-0411, was fastened with the discharge of model 24.09 in late November.
Tag attributes of outer archive exhibiting the MotW.
Credit score:
Development Micro
Attributes of inner-archive exhibiting MotW tag is lacking.
Credit score:
Development Micro
“The foundation reason behind CVE-2025-0411 is that previous to model 24.09, 7-Zip didn’t correctly propagate MoTW protections to the content material of double-encapsulated archives,” wrote Peter Girnus, a researcher at Development Micro, the safety agency that found the vulnerability. “This enables risk actors to craft archives containing malicious scripts or executables that won’t obtain MoTW protections, leaving Home windows customers weak to assaults.”
