7-Zip: Gap allows circumvention of Mark-of-the-Web

A security vulnerability in the popular archive program 7-Zip makes it possible to bypass the Mark-of-the-Web (MotW) marking of files downloaded from the Internet. This should allow attackers to inject and execute malicious code. 7-Zip users must take action themselves to protect themselves and install the available update.

The Zero-Day Initiative (ZDI) explains in a security release that attackers from the network can override the MotW protection mechanism, but that this requires user interaction – such as visiting a malicious website or opening a malicious file.

Code smuggling through file opening

The bug affects the processing of archive files. When extracting carefully prepared archives that have a Mark-of-the-Web marker, 7-Zip does not transfer this MotW to the unpacked files. Attackers can exploit the vulnerability to execute arbitrary code in the context of the user, explains ZDI (CVE-2025-0411, CVSS 7.0, risk “high”).

The bug was already reported last October, and information is now being published in a coordinated manner. The vulnerability closes 7-Zip version 24.09 or newer, which has been available for download on the 7-Zip download page since the end of November last year.

As 7-Zip does not contain an integrated update mechanism, users of the software must take action themselves and download and install the updated version. Otherwise, their system will remain vulnerable to this high-risk vulnerability. In the 7-Zip file manager, you can find out which version is currently active on the computer in the menu under “Help” – “About 7-Zip …”.

Last November, a vulnerability was discovered in 7-Zip that also allowed malicious code to be injected and executed using manipulated archives. This was an integer underflow that could occur when decompressing Zstandard archives, allowing code to be written to memory.

(dmk)