7-Zip Vulnerability Actively Exploited in The Wild in Attacks – CISA Adds Its Catalog

A critical vulnerability in the popular file archiving tool 7-Zip (CVE-2025-0411) has been actively exploited in the wild, primarily targeting Ukrainian organizations, added to CISA’s known exploited vulnerability database.

This flaw allows attackers to bypass Windows’ Mark-of-the-Web (MoTW) security feature, enabling the execution of malicious code.

The vulnerability has been linked to cyberespionage campaigns, likely orchestrated by Russian cybercrime groups amidst the ongoing Russo-Ukrainian conflict.

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-0411, a critical vulnerability in the 7-Zip file archiver, to its Known Exploited Vulnerabilities (KEV) Catalog. This vulnerability has been actively exploited in the wild,

The Vulnerability: CVE-2025-0411

CVE-2025-0411 is a “Mark-of-the-Web Bypass” vulnerability that exploits a flaw in 7-Zip’s handling of double-archived files.

When files are downloaded from untrusted sources, Windows assigns them a MoTW designation to trigger additional security checks, such as those performed by Microsoft Defender SmartScreen.

However, prior to version 24.09 of 7-Zip, this protection was not properly propagated to files within nested archives. This oversight allowed attackers to craft archives that could bypass these critical security measures.

Exploitation in the Wild

The vulnerability was first identified on September 25, 2024, during a SmokeLoader malware campaign targeting Ukrainian government and civilian organizations.

After the PoC exploit was released, Attackers used spear-phishing emails with compromised sender accounts to distribute malicious 7-Zip archives.

These archives employed homoglyph attacks using visually similar characters from different alphabets to disguise malicious files as legitimate documents (e.g., spoofing “.doc” extensions).

Once executed, these files bypassed MoTW protections and delivered malware payloads, including SmokeLoader. This malware facilitated full system compromise and was likely used for cyberespionage purposes.

The campaign targeted various Ukrainian entities, including:

• Government bodies like the State Executive Service of Ukraine.
• Industrial organizations such as the Zaporizhzhia Automobile Building Plant.
• Public services like Kyiv Public Transportation and Kyiv Water Supply Company.

Smaller local government organizations were particularly vulnerable due to limited cybersecurity resources, making them attractive pivot points for attackers aiming at larger targets.

The vulnerability was disclosed to 7-Zip’s creator, Igor Pavlov, on October 1, 2024. A patch addressing the issue was released in version 24.09 on November 30, 2024. Organizations are strongly advised to update their software immediately.

Recommendations for Defenders

To mitigate risks associated with CVE-2025-0411 and similar vulnerabilities:

1. Update Software: Ensure all instances of 7-Zip are updated to version 24.09 or later.
2. Email Security: Implement robust email filtering and anti-spam measures.
3. Employee Training: Educate staff on recognizing phishing attempts and homoglyph attacks.
4. Restrict File Execution: Disable automatic execution of files from untrusted sources.
5. Domain Monitoring: Use domain filtering to detect homoglyph-based phishing domains.
6. URL Filtering: Block access to known malicious domains and maintain updated blacklists.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates

The post 7-Zip Vulnerability Actively Exploited in The Wild in Attacks – CISA Adds Its Catalog appeared first on Cyber Security News.