CVE-2025-0411 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: USER_INTERACTION

CVE Published: 2025-01-25

Added to CISA KEV: 2025-02-06 12 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity
Update 7-Zip to the latest version immediately on all systems
Implement user education about the risks of opening archives from untrusted sources
Consider application control policies to restrict archive tool execution
Monitor for suspicious file extraction activities and unexpected executable launches

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-0411 is a security vulnerability that was identified in 7-Zip and disclosed to its creator, Igor Pavlov, leading to a patch in version 24.09 on November 30, 2024 ^[1].

Key Details

Feature	Description
Vulnerability Type	Mark-of-the-Web (MotW) bypass
Affected Product	7-Zip (versions prior to 24.09) ^[1]
Exploitation	Active in the wild (targeted attacks) ^[1]
Requirement	User interaction (e.g., opening a malicious file) ^[4]
Impact	Bypass of security checks, potential arbitrary code execution ^[3]
Status	Patched in version 24.09 ^[1]

Analysis

Active Exploitation and Threat Actors: This vulnerability was actively exploited in the wild by Russian cybercrime groups to target Ukrainian organizations ^[1].
Attack Method: The attack involves bypassing Windows "Mark-of-the-Web" (MotW) protections by using a double-archiving technique (e.g., a nested archive structure like `poc.outer.zip/poc.inner.zip/poc.bat`) ^[2]. This prevents necessary security checks from triggering, allowing the execution of malicious content ^[1]. Attackers also utilized homoglyph attacks to spoof files in spear-phishing campaigns ^[1].
Exploitation Requirements: Exploitation requires user interaction, specifically the target opening a malicious file or visiting a malicious page ^[4].
Proof-of-Concept: Working proof-of-concept (PoC) exploits utilizing the nested archive structure have been documented by security researchers ^[2].
Impact: Successful exploitation allows attackers to bypass security protections and potentially execute arbitrary code in the context of the current user ^[3].

*Note: Some online sources may incorrectly associate CVE-2025-0411 with other products (such as Microsoft Exchange); however, the primary research from security vendors identifies this specific CVE as a 7-Zip vulnerability ^[1].*

Sources