CVE-2025-0411 – This vulnerability allows attackers to bypass W... (How to Fix)

Q: What is the severity of CVE-2025-0411?

CVE-2025-0411 has a CVSS score of 7.0 (HIGH). This vulnerability allows attackers to bypass Windows' Mark-of-the-Web security feature when extracting files with 7-Zip. Attackers can craft malicious archives that, when extracted, don't inherit the security warning, potentially leading to arbitrary code execution. Users of vulnerable 7-Zip versions on Windows systems are affected.

📋 TL;DR

This vulnerability allows attackers to bypass Windows' Mark-of-the-Web security feature when extracting files with 7-Zip. Attackers can craft malicious archives that, when extracted, don't inherit the security warning, potentially leading to arbitrary code execution. Users of vulnerable 7-Zip versions on Windows systems are affected.

💻 Affected Systems

Products:

7-Zip

Versions: Versions prior to 24.07

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Windows systems where Mark-of-the-Web is relevant. Linux/macOS versions are not affected by this specific vulnerability.

📦 What is this software?

7 Zip by 7 Zip

View all CVEs affecting 7 Zip →

Active Iq Unified Manager by Netapp

View all CVEs affecting Active Iq Unified Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with user privileges leading to full system compromise, data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Malware execution through social engineering where users download and extract malicious archives from untrusted sources, leading to system infection.

🟢

If Mitigated

Files remain flagged with MOTW warnings, users receive security prompts, and malicious code execution is prevented through proper security controls.

🌐 Internet-Facing: MEDIUM - Requires user interaction (downloading/opening malicious archives) but can be delivered through web pages or email attachments.

🏢 Internal Only: LOW - Primarily affects user workstations; requires user interaction with malicious content that would typically originate externally.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires user interaction (opening malicious archive) and crafting of specific archive files. No public exploit code has been released as of current information.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 24.07 and later

Vendor Advisory: https://www.7-zip.org/history.txt

Restart Required: No

Instructions:

1. Download 7-Zip 24.07 or later from official website. 2. Run installer. 3. Follow installation prompts. 4. Verify installation by checking version in About dialog.

🔧 Temporary Workarounds

Disable archive extraction from untrusted sources

windows

Configure Windows to block archive execution from internet zones or implement application control policies.

Use alternative archive software

all

Temporarily use Windows built-in extraction or other archive tools until 7-Zip is patched.

🧯 If You Can't Patch

Implement application whitelisting to prevent execution of unknown extracted files
Educate users to avoid extracting archives from untrusted sources and to verify file origins

🔍 How to Verify

Check if Vulnerable:

Open 7-Zip, go to Help > About, check if version is earlier than 24.07.

Check Version:

"C:\Program Files\7-Zip\7z.exe" --version

Verify Fix Applied:

After updating, verify version is 24.07 or later in Help > About dialog.

📡 Detection & Monitoring

Log Indicators:

Windows Defender/Security logs showing MOTW bypass attempts
7-Zip process spawning unexpected child processes

Network Indicators:

Downloads of archive files from suspicious sources followed by immediate extraction

SIEM Query:

Process Creation where (Image contains '7z' OR ParentImage contains '7z') AND CommandLine contains '.exe'

📊 Metadata

CVE ID: CVE-2025-0411

CVSS v3 Score: 7.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-693

EPSS Score: 33.82% exploit probability (96.8th percentile)

CISA KEV: Actively Exploited added Feb 6, 2025

Published: January 25, 2025

Last Updated: October 27, 2025

🔗 References

https://www.zerodayinitiative.com/advisories/ZDI-25-045/ Third Party Advisory,VDB Entry
http://www.openwall.com/lists/oss-security/2025/01/24/6 Mailing List
https://security.netapp.com/advisory/ntap-20250207-0005/ Third Party Advisory
https://www.vicarius.io/vsociety/posts/cve-2025-0411-7-zip-mitigation-vulnerability Mitigation
https://www.vicarius.io/vsociety/posts/cve-2025-0411-detection-7-zip-vulnerability Mitigation
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-0411 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-0411, you might also want to check these: