The vulnerability CVE-2025-0411 has been found within the well-liked 7-Zip file archiver software program, permitting attackers to bypass the Mark-of-the-Net safety mechanism. CVE-2025-0411 has a 7.0 CVSS ranking. The vulnerability was shortly mounted, however for the reason that program doesn’t have an computerized replace mechanism, some customers should still have a weak model. That’s why we advocate instantly updating the archiver.
What’s Mark-of-the-Net?
The Mark-of-the-Net (MOTW) mechanism includes inserting a particular metadata mark on information obtained from the web. If such a mark is current, the Home windows working system considers such a file to be doubtlessly harmful. If the file is executable, the consumer sees a warning that it may trigger hurt when making an attempt to execute it. Additionally, some packages restrict the performance of a file with this mark (for instance, MS Workplace purposes block the execution of macros in them). When an archive is downloaded from the web, when it’s unpacked, all of the information ought to inherit this Mark-of-the-Net.
Malefactors have repeatedly been making an attempt to do away with the MOTW so as to mislead the consumer. Specifically, a number of years in the past we wrote that the BlueNoroff APT group had adopted strategies to bypass this mechanism. In response to the MITRE ATT&CK matrix classification, bypassing the MOTW mechanism belongs to sub-technique T1553.005: Subvert Belief Controls: Mark-of-the-Net Bypass.
What’s the CVE-2025-0411 vulnerability, and the way is it harmful?
CVE-2025-0411 permits attackers to create an archive in such a method that when it’s unpacked by 7-Zip, the information received’t inherit the MOTW mark. Because of this, an attacker can exploit this vulnerability to launch malicious code with consumer privileges. In fact, such a vulnerability is harmful not in and of itself, however as a part of a fancy assault. As well as, to use it, the consumer should launch a malicious file manually. Nevertheless, as we’ve already talked about above, attackers typically attempt to take away this mark, so giving them an additional method to do that is clearly a giant no-no.
Researchers found CVE-2025-0411 again in November final 12 months, and instantly reported it to the creator of 7-Zip. This is the reason model 24.09, revealed on November 29, 2024, is not weak.
Methods to keep protected
To start with, you need to replace 7-Zip to model 24.09 or newer. If this file archiver is utilized in your group, we advocate updating it centrally (if there are applicable instruments), or a minimum of notifying that it wants urgently updating. Kaspersky merchandise for dwelling customers can test plenty of extensively used software program merchandise (together with 7-Zip) and replace them robotically.
As well as, we advocate all web customers to deal with information acquired from the web with distinctive warning, and to not open them on computer systems with out a dependable safety answer.
