
A high-severity vulnerability has been discovered in the popular file compression tool 7-Zip, potentially enabling attackers to bypass crucial Windows security protections. The flaw, tracked as CVE-2025-0411, affects versions prior to 7-Zip 24.09 and has received a CVSS score of 7.0, indicating significant security risk.
The vulnerability specifically impacts the Mark of the Web (MotW) security feature, which Windows uses to flag files downloaded from the internet as potentially dangerous. When users extract files from nested archives using affected 7-Zip versions, the software fails to properly propagate the MotW flag to the extracted files, effectively removing this important security designation.
This security bypass could allow attackers to execute malicious code on a user's system, circumventing Windows' built-in protection mechanisms. The issue is particularly concerning because it affects Microsoft Office's Protected View and other security features that rely on MotW flags to safeguard users from suspicious files.
Peter Girnus, a Trend Micro Zero Day Initiative researcher, discovered and reported the vulnerability on October 1, 2024.
The 7-Zip developer, Igor Pavlov, addressed the issue with the release of version 24.09 on November 30, 2024, followed by a coordinated public disclosure on January 19, 2025.
Security experts emphasize that the vulnerability requires user interaction to exploit, such as visiting a malicious webpage or opening a compromised file. However, the lack of an auto-update feature in 7-Zip means many users may still be running vulnerable versions of the software.
PoC Released
The PoC code was quickly released on GitHub with a simple loader of calc.exe. However, as part of the execution, the victim needs to click through the compressed files and run the executable.

To protect against potential attacks, users are strongly advised to:
- Immediately upgrade to 7-Zip version 24.09 or later
- Exercise caution when opening archives from unknown sources
- Implement additional endpoint security solutions to detect suspicious file activity
This vulnerability follows a pattern of similar MotW bypass exploits that have been actively used by malware operators, including the DarkGate malware campaign that targeted users with fake software installers for popular applications like Apple iTunes and NVIDIA drivers.
Update: 23, Jan- PoC released.