Full Report
A recently patched security vulnerability in the 7-Zip archiver tool was exploited in the wild to deliver the SmokeLoader malware. The flaw, CVE-2025-0411 (CVSS score: 7.0), allows remote attackers to circumvent mark-of-the-web (MotW) protections and execute arbitrary code in the context of the current user. It was addressed by 7-Zip in November 2024 with version 24.09. "The vulnerability was
Analysis Summary
# Vulnerability: 7-Zip Double Archiving Flaw Bypasses Windows MotW Protections
## CVE Details
- CVE ID: CVE-2025-0411
- CVSS Score: 7.0 (High)
- CWE: Not explicitly mentioned in the summary, but relates to improper handling of security attributes across encapsulated files.
## Affected Systems
- Products: 7-Zip Archiver Tool
- Versions: Prior to 7-Zip version 24.09
- Configurations: Files delivered via spear-phishing campaigns often using homoglyph attacks to spoof extensions.
## Vulnerability Description
The vulnerability resides in the 7-Zip archiver's handling of Mark-of-the-Web (MotW) protections on archived content, specifically in cases of double-encapsulated archives (an archive within an archive). Prior to version 24.09, 7-Zip failed to properly propagate the MotW flag to the content inside these nested archives. This allows threat actors to craft malicious archives containing executable payloads that, upon extraction and execution, do not trigger standard Windows security checks like the MotW warning or Defender SmartScreen protection, leading to arbitrary code execution in the user's context.
## Exploitation
- Status: Exploited in the wild (Used by Russian cybercrime groups to deliver SmokeLoader malware)
- Complexity: Implied Medium (Requires specific archive construction and social engineering techniques like homoglyph attacks)
- Attack Vector: Network (via initial phishing email delivery)
## Impact
- Confidentiality: High (Execution of malware like SmokeLoader can lead to data theft)
- Integrity: High (Arbitrary code execution allows system modification)
- Availability: High (Malware can lead to service disruption or system compromise)
## Remediation
### Patches
- 7-Zip version 24.09 (Released November 2024)
### Workarounds
- No explicit workarounds are detailed in the summary, but strict application of MotW enforcement or enhanced endpoint detection for unexpected file behavior should serve as temporary mitigation.
## Detection
- Indicators of Compromise: Successful execution of malware following the opening of specially crafted 7-Zip archives (e.g., subsequent execution of SmokeLoader).
- Detection methods and tools: Monitoring for archive files that utilize nesting techniques or exhibit suspicious file extensions due to homoglyph attacks. Relying on endpoint security to inspect file metadata upon extraction, even if initial MotW prompts are suppressed.
## References
- Vendor Advisories: ZDI-25-045
- Relevant links - defanged:
- trendmicro.com/en_us/research/25/a/cve-2025-0411-ukrainian-organizations-targeted.html
- sourceforge.net/p/sevenzip/discussion/45797/thread/b95432c7ac/