CVE-2025-0411: 7-Zip Vulnerability and Mark-of-the-Web (MoW) Propagation Issues

By /

Listen to this Post

2025-02-10

A new vulnerability, CVE-2025-0411, has been discovered in 7-Zip, raising concerns about security in file extraction. The flaw lies in how Mark-of-the-Web (MoW) is handled when dealing with nested ZIP files. In specific cases, MoW is not correctly propagated, which can lead to security risks when extracting potentially malicious files. This issue has been actively exploited in recent attacks.

However, the bigger concern is that 7-Zip does not propagate MoW at all in its default configuration. Even though MoW propagation was introduced as a feature years ago, users must manually enable it through the GUI or Windows Registry. This highlights an ongoing security oversight that could expose users to malware threats if they rely on default settings.

the Issue

  • CVE-2025-0411 is a vulnerability in 7-Zip affecting MoW propagation.
  • When extracting a ZIP file inside another ZIP file, the inner file does not inherit the MoW from the outer ZIP.
  • The default settings in 7-Zip do not propagate MoW at all, making it ineffective for security-conscious users.
  • MoW propagation must be manually enabled via GUI settings or the Windows Registry.
  • This issue has been known for years, yet 7-Zip has not changed its default behavior.
  • Attackers are exploiting this vulnerability in the wild, emphasizing the need for users to take action.

What Undercode Say:

The discovery of CVE-2025-0411 once again raises critical questions about file security, software defaults, and user awareness. While the flaw is being actively exploited, the real issue lies in the broader security implications of how 7-Zip handles MoW.

1. Why Mark-of-the-Web Matters

MoW is a security feature in Windows that helps mitigate the risk of executing malicious files downloaded from the internet. When a file has MoW, Windows may restrict its execution or show security warnings. If MoW is lost during extraction, an attacker could bypass these security measures, increasing the likelihood of malware execution.

2. The Danger of Default Insecurity

Many users assume that security settings are enabled by default, but in this case, 7-Zip does not propagate MoW unless explicitly configured. This makes users unknowingly vulnerable, as they may believe extracted files retain security attributes when, in reality, they do not.

3. The Exploitation of Nested Archives

Threat actors often use nested archives to evade security controls. If a malicious ZIP file contains another ZIP file, the extracted payload may lose its MoW attribute, tricking users into running dangerous executables without warnings. Attackers could use this flaw to distribute ransomware, trojans, and other malware.

4. Lack of Fixes and Vendor Responsibility

Despite awareness of this issue, 7-Zip has not changed its default settings to enable MoW propagation. This raises concerns about software vendorsā€™ responsibility in ensuring secure defaults. Security-conscious users may manually enable the feature, but the average user is left exposed.

5. Practical Recommendations for Users

To mitigate this risk, users should:

  • Manually enable MoW propagation in 7-Zipā€™s settings or via the Windows Registry.
  • Use alternative extraction tools that correctly handle MoW by default.
  • Be cautious when extracting nested archives, especially from untrusted sources.
  • Leverage endpoint protection solutions to detect and block malicious files.
  • Regularly update security policies to align with best practices for file handling.

6. Implications for Enterprise Security

For organizations, this vulnerability highlights the importance of secure file-handling policies. Companies should:
– Audit their use of 7-Zip and ensure MoW propagation is enabled.
– Educate employees on the risks of downloading and extracting files.
– Implement strict security controls around file execution, including application whitelisting and sandboxing.

7. The Bigger Picture: Software Security Culture

This situation reflects a broader issue in software security:
– Many applications prioritize functionality over security, leaving users to configure protection manually.
– Vendors often delay security fixes or fail to address known risks unless there is significant public pressure.
– Security by default should be the norm, rather than an optional setting hidden in configuration menus.

Final Thoughts

CVE-2025-0411 is more than just a vulnerabilityā€”it is a reminder of how software defaults can expose users to risks. While MoW propagation can be manually enabled, the lack of awareness and the potential for real-world exploitation make this a serious issue.

Security-conscious users and enterprises should take immediate action by enabling MoW propagation and adopting stricter file security policies. Meanwhile, 7-Zip developers should reconsider their approach to default security settings, as secure defaults are crucial in minimizing attack surfaces.

Would you like detailed instructions on how to enable MoW in 7-Zip? šŸ”

References:

Reported By: https://isc.sans.edu/forums/diary/Reminder%3A
https://www.quora.com
Wikipedia: https://www.wikipedia.org
Undercode AI: https://ai.undercodetesting.com

Image Source:

OpenAI: https://craiyon.com
Undercode AI DI v2: https://ai.undercode.helpFeatured Image

Explore More: