Login Sign Up

CVE-2025-1240

8.8 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on affected WinZip installations by tricking users into opening malicious 7Z files. Attackers can gain full control of the system with the same privileges as the current user. All WinZip users who process untrusted 7Z files are affected.

💻 Affected Systems

Products:
  • WinZip
Versions: Specific versions not specified in advisory - assume all versions before patch
Operating Systems: Windows, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in default WinZip installations when processing 7Z archives

📦 What is this software?

Winzip by Winzip

View all CVEs affecting Winzip →

Winzip by Winzip

View all CVEs affecting Winzip →

Winzip by Winzip

View all CVEs affecting Winzip →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise leading to data theft, ransomware deployment, or persistent backdoor installation

🟠

Likely Case

Malware execution leading to credential harvesting, data exfiltration, or lateral movement within the network

🟢

If Mitigated

Limited impact if proper application sandboxing and least privilege principles are enforced

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires user interaction (opening malicious file) but exploitation is reliable once triggered

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check WinZip vendor advisory for specific patched version

Vendor Advisory: https://www.winzip.com/en/support/security-advisories/

Restart Required: No

Instructions:

1. Open WinZip application
2. Navigate to Help > Check for Updates
3. Follow prompts to install latest version
4. Verify update completed successfully

🔧 Temporary Workarounds

Disable 7Z file association

windows

Prevent WinZip from automatically opening 7Z files

Control Panel > Default Programs > Associate a file type or protocol with a program > Select .7z > Change program > Choose different application

Use application control policies

all

Restrict execution of WinZip to trusted directories only

🧯 If You Can't Patch

  • Implement application allowlisting to block WinZip execution entirely
  • Deploy endpoint detection and response (EDR) with behavioral monitoring for suspicious WinZip activity

🔍 How to Verify

Check if Vulnerable:

Check WinZip version against vendor's patched version list

Check Version:

Open WinZip > Help > About WinZip

Verify Fix Applied:

Confirm WinZip version is equal to or greater than patched version

📡 Detection & Monitoring

Log Indicators:

  • Unusual WinZip process spawning child processes
  • WinZip accessing unexpected network resources
  • Multiple 7Z file processing failures

Network Indicators:

  • WinZip process making unexpected outbound connections
  • DNS queries from WinZip to suspicious domains

SIEM Query:

process_name:"winzip*" AND (process_spawned:true OR network_connection:true)

📊 Metadata

CVE ID: CVE-2025-1240
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787
EPSS Score: 0.53% exploit probability (66.5th percentile)
Published: February 11, 2025
Last Updated: August 18, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-1240, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)