Researchers mentioned they not too long ago found a zero-day vulnerability within the 7-Zip archiving utility that was actively exploited as a part of Russia’s ongoing invasion of Ukraine.
The vulnerability allowed a Russian cybercrime group to override a Home windows safety designed to restrict the execution of information downloaded from the Web. The protection is often often known as MotW, brief for Mark of the Internet. It really works by inserting a “Zone.Identifier” tag on all information downloaded from the Web or from a networked share. This tag, a sort of NTFS Alternate Knowledge Stream and within the type of a ZoneID=3, topics the file to extra scrutiny from Home windows Defender SmartScreen and restrictions on how or when it may be executed.
There’s an archive in my archive
The 7-Zip vulnerability allowed the Russian cybercrime group to bypass these protections. Exploits labored by embedding an executable file inside an archive after which embedding the archive into one other archive. Whereas the outer archive carried the MotW tag, the interior one didn’t. The vulnerability, tracked as CVE-2025-0411, was fastened with the discharge of model 24.09 in late November.
Tag attributes of outer archive displaying the MotW.
Credit score:
Pattern Micro
Attributes of inner-archive displaying MotW tag is lacking.
Credit score:
Pattern Micro
“The foundation reason behind CVE-2025-0411 is that previous to model 24.09, 7-Zip didn’t correctly propagate MoTW protections to the content material of double-encapsulated archives,” wrote Peter Girnus, a researcher at Pattern Micro, the safety agency that found the vulnerability. “This permits menace actors to craft archives containing malicious scripts or executables that won’t obtain MoTW protections, leaving Home windows customers weak to assaults.”
Researchers mentioned they not too long ago found a zero-day vulnerability within the 7-Zip archiving utility that was actively exploited as a part of Russia’s ongoing invasion of Ukraine.
The vulnerability allowed a Russian cybercrime group to override a Home windows safety designed to restrict the execution of information downloaded from the Web. The protection is often often known as MotW, brief for Mark of the Internet. It really works by inserting a “Zone.Identifier” tag on all information downloaded from the Web or from a networked share. This tag, a sort of NTFS Alternate Knowledge Stream and within the type of a ZoneID=3, topics the file to extra scrutiny from Home windows Defender SmartScreen and restrictions on how or when it may be executed.
There’s an archive in my archive
The 7-Zip vulnerability allowed the Russian cybercrime group to bypass these protections. Exploits labored by embedding an executable file inside an archive after which embedding the archive into one other archive. Whereas the outer archive carried the MotW tag, the interior one didn’t. The vulnerability, tracked as CVE-2025-0411, was fastened with the discharge of model 24.09 in late November.
Tag attributes of outer archive displaying the MotW.
Credit score:
Pattern Micro
Attributes of inner-archive displaying MotW tag is lacking.
Credit score:
Pattern Micro
“The foundation reason behind CVE-2025-0411 is that previous to model 24.09, 7-Zip didn’t correctly propagate MoTW protections to the content material of double-encapsulated archives,” wrote Peter Girnus, a researcher at Pattern Micro, the safety agency that found the vulnerability. “This permits menace actors to craft archives containing malicious scripts or executables that won’t obtain MoTW protections, leaving Home windows customers weak to assaults.”
