A critical vulnerability was found in the open-source file archiving tool, 7-Zip, which allows attackers to bypass the Windows Mark of the Web (MotW) security feature and potentially trick users into launching malware. This vulnerability was identified as CVE-2025-0411 by Trend Micro and received a CVSS score of 7.0. “The CVE-2025-0411 vulnerability allows remote attackers to bypass the MtoW protection mechanism on affected 7-Zip installations. User interaction is required to exploit this vulnerability because the target must visit a malicious page or open a malicious file,” Trend Micro stated. In addition, it also added, “This specific vulnerability exists in the handling of archive files. When extracting files from a modified archive that has MtoW, 7-Zip does not propagate MtoW to the extracted files. An attacker can exploit this vulnerability to execute arbitrary code in the context of the current user.”
In June 2022, 7-Zip added the latest support for MotW in version 22.00. This application implements the recognition of MotW metadata, using the alternative data stream “Zone.Identifier,” to label all files from downloaded archives as potentially unsafe files.
When users open a file with a Mark of the Web (MotW), Windows will display a security warning popup, and the document in Microsoft Office will open in ‘Protected View’, which disables macros and makes the file read-only.
Launching an executable file downloaded with the MoTW flag (Bleeping Computer)
Attackers can actively bypass this warning by exploiting a flawed version of 7-Zip. In this version, the “Zone.Identifier” stream fails to apply to files from nested archives, as developer Igor Pavlov explained in the release notes for version 24.09. Because 7-Zip does not update automatically, users must take action to manually install the latest version, 24.09, released on November 30, 2024, to fix this vulnerability.
Source:
https://www.bleepstatic.com/images/news/software/7/7-zip/motw/windows-motw-download-warning.jpg
https://www.bleepingcomputer.com/news/security/7-zip-fixes-bug-that-bypasses-the-windows-motw-security-mechanism-patch-now/
https://support.microsoft.com/en-us/topic/what-is-protected-view-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653
https://www.scworld.com/news/high-severity-flaw-in-file-archiver-7-zip-requires-manual-update
https://sourceforge.net/p/sevenzip/discussion/45797/thread/9c2d9061ce/
https://sourceforge.net/p/sevenzip/discussion/45797/thread/b95432c7ac/
https://www.cve.org/CVERecord?id=CVE-2025-0411
https://www.zerodayinitiative.com/advisories/ZDI-25-045/