Security experts have identified a critical zero-day vulnerability in the 7-Zip file archiving tool, which has been actively exploited in the context of Russia's ongoing military actions in Ukraine.

Exploiting Windows Security Measures

This vulnerability enabled a Russian cybercriminal group to circumvent a key Windows security feature designed to restrict the execution of files sourced from the Internet. Known as Mark of the Web (MotW), this protection works by assigning a “Zone.Identifier” tag to files downloaded from the Internet or network shares. This tag, an NTFS Alternate Data Stream with a ZoneID=3, ensures that such files undergo additional scrutiny by Windows Defender SmartScreen and face execution restrictions.

Bypassing the Mark of the Web

The flaw in 7-Zip allowed attackers to bypass these security measures. The exploit involved placing an executable inside an archive, which was then nested within another archive. While the outer archive retained the MotW tag, the inner archive did not, effectively evading the security checks. This vulnerability, identified as CVE-2025-0411, was addressed with the release of 7-Zip version 24.09 in late November.

Key Takeaway: This incident underscores the importance of keeping software updated to mitigate vulnerabilities. Learn more about zero-day vulnerabilities in our detailed Research section.

The link has been copied!