CVE-2025-0411 - 7-Zip Mark-of-the-Web Bypass Vulnerability Explained

A critical vulnerability has recently been discovered in 7-Zip, a widely used open-source file archiver. This vulnerability, tracked as CVE-2025-0411 (also known as ZDI-CAN-25456), allows remote attackers to bypass the Mark-of-the-Web (MotW) security mechanism on Windows systems. This post will explain, in simple terms, what this means, how the vulnerability works, and what you can do to stay safe.

What is Mark-of-the-Web?

Mark-of-the-Web (MotW) is a special attribute that Windows assigns to files downloaded from the Internet or received from email. When a file has this mark, Windows and compatible apps (like Microsoft Office and Edge) prompt users with a warning before opening the file, or may even restrict certain kinds of active content (like running macros or executable code).

This feature is important because it helps prevent malicious files from executing silently when users double-click them.

Affected software: 7-Zip (all versions before the patch)

- Impact: Extracted files do not retain MotW, potentially tricking users into running untrusted code without warnings.

Interaction required: Yes (user must open a crafted archive or file)

Original advisory:
Zero Day Initiative - ZDI-24-456: 7-Zip Mark-of-the-Web Bypass Vulnerability (ZDI-CAN-25456)

How the Vulnerability Works

Normally, if you download a ZIP file from the Internet, Windows adds MotW to the archive file. If you extract the contents with Windows' built-in ZIP extractor, the extracted files will also have MotW—so Windows and some applications will still warn you before opening them.

With 7-Zip, however, if you open and extract a "Marked" archive, the resulting files do not retain MotW. That means any dangerous .exe, .js, or macro-enabled Office files will open without any warnings. Attackers can exploit this by tricking users into extracting and running malicious files.

Exploit Steps (Example)

1. Attacker creates a ZIP archive with malicious content (like a trojan or macro-enabled document):

Technical Details and PoC (Proof of Concept)

Here’s a simple Python script to create a MotW-marked ZIP file, which you can use for testing (ON YOUR OWN SYSTEM ONLY):

import ctypes
import zipfile
import os

# Your payload file (could be a harmless .txt for testing)
payload_src = 'evil.exe'
payload_zip = 'malicious.zip'

# Create the ZIP archive
with zipfile.ZipFile(payload_zip, 'w') as zipf:
    zipf.write(payload_src, os.path.basename(payload_src))

# Apply Mark-of-the-Web (MotW) using ADS (Alternate Data Stream)
motw = '[ZoneTransfer]\nZoneId=3'
motw_stream = payload_zip + ':Zone.Identifier'
with open(motw_stream, 'w') as stream:
    stream.write(motw)

print(f"Created MotW-marked ZIP: {payload_zip}")

When you unzip this archive using 7-Zip, the extracted evil.exe will not have MotW and will run without prompts.

To check a MotW on a file (or add it manually)

# To see if a file has MotW
Get-Content .\malicious.zip -Stream Zone.Identifier

# To add MotW to a file
Add-Content .\malicious.zip -Stream Zone.Identifier '[ZoneTransfer]`nZoneId=3'

Real-World Implications

- Phishing attacks: Malicious archives sent via email or shared links can evade Windows security warnings.

Malware delivery: Users may run harmful files thinking they're safe because no prompt appears.

- Supply chain: Developers and IT workers who rely on 7-Zip for automation or daily work may unknowingly expose their systems.

Mitigation and Recommendations

- Update 7-Zip: Check 7-Zip's official site for any patch that fixes this issue.
- Extract with Windows Explorer: If you receive a ZIP file from the internet, use the built-in Windows extraction tool.

Manual MotW: For highly sensitive workflows, you can manually check or set MotW on files.

- Be wary of suspicious files: Especially if they came from unsolicited emails or untrusted sources.
- Group Policy/IT Controls: Enterprises can restrict which apps are allowed to unpack internet files.

More References

- ZDI Advisory: ZDI-24-456
- 7-Zip Official Website
- Microsoft Docs: Mark-of-the-Web
- Zone.Identifier/Mark-of-the-Web explanation (Wikipedia)

Conclusion

CVE-2025-0411 is a textbook example of how even trusted tools can create security gaps if they don't fully interact with built-in OS protections. Until a patch is available, exercise caution with 7-Zip and always be vigilant when extracting and running files from the internet or email.

If you found this guide useful, consider sharing it to help others stay protected!

Timeline

Published on: 01/25/2025 05:15:09 UTC