Login Sign Up

CVE-2025-33026

6.1 MEDIUM

📋 TL;DR

This vulnerability allows attackers to bypass Windows' Mark-of-the-Web protection in PeaZip when extracting files from malicious archives. Users who extract files from untrusted sources (like downloads or email attachments) are affected, potentially leading to arbitrary code execution. The vulnerability is disputed due to concerns about security-warning habituation and metadata control scope.

💻 Affected Systems

Products:
  • PeaZip
Versions: through 10.4.0
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Windows systems using Mark-of-the-Web (Zone.Identifier) protection. Linux/macOS not affected.

📦 What is this software?

Peazip by Peazip

View all CVEs affecting Peazip →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Arbitrary code execution with current user privileges, potentially leading to full system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Malware execution from extracted files that appear safe due to missing security warnings, leading to system infection or credential theft.

🟢

If Mitigated

Files are blocked by other security controls (antivirus, application whitelisting) or user avoids suspicious archives, limiting impact.

🌐 Internet-Facing: MEDIUM - Requires user interaction with malicious content from internet sources, but common attack vector via downloads/email.
🏢 Internal Only: LOW - Primarily affects systems processing external files; internal file transfers less likely to be malicious.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user to extract files from crafted archive; no authentication needed. Weaponization status unclear from available references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified

Vendor Advisory: https://peazip.github.io/peazip-64bit.html

Restart Required: No

Instructions:

1. Check PeaZip website for updates beyond version 10.4.0
2. Download and install latest version if available
3. No restart required for PeaZip update

🔧 Temporary Workarounds

Use alternative extraction method

windows

Extract suspicious archives using Windows built-in tools or other archivers that properly propagate Mark-of-the-Web

Manual security check

windows

Right-click extracted files, check Properties > Security to verify Zone.Identifier is present for internet-sourced files

🧯 If You Can't Patch

  • Restrict PeaZip usage to trusted archives only; avoid extracting files from untrusted sources
  • Implement application control/whitelisting to block execution of unexpected binaries from user directories

🔍 How to Verify

Check if Vulnerable:

Check PeaZip version: if ≤10.4.0 and on Windows, likely vulnerable. Test by extracting internet-downloaded archive and checking if extracted files have Zone.Identifier.

Check Version:

Open PeaZip > Help > About or check program properties

Verify Fix Applied:

Verify PeaZip version >10.4.0 if patch released. Test extraction of internet-sourced archive confirms Zone.Identifier propagates to extracted files.

📡 Detection & Monitoring

Log Indicators:

  • Unusual process execution from recently extracted archive locations
  • PeaZip process spawning unexpected child processes

Network Indicators:

  • Outbound connections from processes launched from user download/extraction directories

SIEM Query:

Process creation where parent_process contains 'peazip' and process_path contains 'Downloads' or 'Temp'

📊 Metadata

CVE ID: CVE-2025-33026
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-830
EPSS Score: 0.22% exploit probability (43.9th percentile)
Published: April 15, 2025
Last Updated: October 24, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-33026, you might also want to check these:

CVE-2023-2588 8.8

This vulnerability in Teltonika's Remote Management System allows attackers to create malicious webp...

Same vulnerability type (CWE-830)
CVE-2024-42381 8.3

This vulnerability in Homebrew allows attackers to execute arbitrary code by crafting malicious ELF ...

Same vulnerability type (CWE-830)
CVE-2025-33028 6.1

This CVE describes a Mark-of-the-Web bypass vulnerability in WinZip where extracted files from craft...

Same vulnerability type (CWE-830)