Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2025-0411
CVE-2025-0411:
7-Zip vulnerability analysis and mitigation
Overview
CVE-2025-0411 is a Mark-of-the-Web (MotW) bypass vulnerability affecting 7-Zip versions prior to 24.09. The vulnerability was discovered by Peter Girnus from Trend Micro Zero Day Initiative in October 2024 and was fixed in November 2024. This security flaw affects installations of 7-Zip on Windows platforms, where the application fails to properly propagate the Mark-of-the-Web protection mechanism to extracted files from archived contents (ZDI Advisory, NVD).
Technical details
The vulnerability exists within the handling of archived files, specifically when extracting files from a crafted archive that bears the Mark-of-the-Web. The core issue is that 7-Zip does not propagate the Mark-of-the-Web to the extracted files from double-encapsulated archives. This vulnerability has been assigned a CVSS v3.1 base score of 7.0 (High), with the vector string CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-693 (Protection Mechanism Failure) (ZDI Advisory, Help Net Security).
Impact
When successfully exploited, this vulnerability allows attackers to bypass Windows security protections and execute arbitrary code in the context of the current user. The bypass of Mark-of-the-Web protection means that files extracted from malicious archives won't trigger Windows security warnings, potentially leading to the execution of malicious content without user awareness (Trend Micro, NetApp Advisory).
Mitigation and workarounds
The vulnerability has been fixed in 7-Zip version 24.09. Organizations are strongly advised to update to this version or later. Additional recommended mitigations include implementing strict email security measures, training employees on phishing awareness, disabling automatic execution of files from untrusted sources, and implementing domain and URL filtering to detect and block homoglyph-based phishing attacks (Vicarius, CISA Alert).
Community reactions
The vulnerability has gained significant attention from the cybersecurity community, particularly after CISA added it to their Known Exploited Vulnerabilities Catalog on February 6, 2025, requiring federal agencies to remediate the vulnerability by February 27, 2025. The discovery of active exploitation targeting Ukrainian organizations has raised concerns about its use in state-sponsored cyber operations (CISA Alert).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management