CVE-2025-0411

What is Mark of the Web (MotW)?

Mark of the Web (MotW) is a Windows security mechanism that tags files downloaded from the internet (or received via email) with a hidden NTFS alternate data stream (Zone.Identifier). When a user attempts to open a MotW-tagged file, Windows SmartScreen displays a warning and requires explicit confirmation before execution. MotW is a critical defense against drive-by malware: it prevents silently-downloaded executables from running without user awareness.

When files are extracted from an archive, Windows expects the archive application to propagate the MotW tag to extracted files. If an archiver fails to propagate MotW, extracted executables can run without the SmartScreen warning — even if the archive itself was downloaded from the internet and carries the tag.

Overview

CVE-2025-0411 is a protection mechanism failure vulnerability (CWE-693) in 7-Zip where files extracted from archives do not inherit the Mark of the Web tag from the source archive. When a user downloads a 7-Zip archive from the internet (it receives MotW), extracts it with 7-Zip (extracted files do NOT receive MotW), and runs an extracted executable — Windows SmartScreen does not warn the user, allowing malware to execute silently. Russian threat actors exploited this to deliver SmokeLoader malware targeting Ukrainian organizations via phishing campaigns containing malicious 7-Zip archives. Fixed silently in 7-Zip 24.09 (November 2024); CVE assigned January 2025 after Trend Micro discovered active exploitation.

Affected Versions

7-Zip does not auto-update. Users must manually download and install 24.09 from 7-zip.org.

Technical Details

The vulnerability (CWE-693: Protection Mechanism Failure) is in 7-Zip's file extraction code on Windows. When 7-Zip extracts files from an archive that carries a MotW Zone.Identifier ADS (alternate data stream), it does not copy the Zone.Identifier ADS to the extracted files. On Windows systems (Vista and later), this means extracted executables lack the internet zone tag that would trigger SmartScreen.

Attack delivery chain:

1. Attacker embeds malware executable inside a 7-Zip archive (.7z, .zip, .tar, etc.)
2. Sends archive via phishing email or hosts it at a malicious download link
3. Victim downloads archive — the .7z file receives MotW tag from Windows
4. Victim extracts with 7-Zip — extracted files receive no MotW (the bug)
5. Victim double-clicks extracted executable — SmartScreen shows no warning, malware executes

The High complexity (AC:H) reflects that successful exploitation requires the victim to extract the archive with 7-Zip specifically (not Windows built-in extraction, which handles MotW correctly) and then execute a file from the extraction — two user actions.

Discovery

Trend Micro researchers (Peter Girnus, Aliakbar Zahravi, Simon Zuckerbraun) discovered active exploitation in October–November 2024 targeting Ukrainian organizations. The fix was silently included in 7-Zip 24.09 on November 19, 2024; the CVE was assigned only after Trend Micro's public disclosure in January 2025.

Exploitation Context

Russian threat actors exploited CVE-2025-0411 in phishing campaigns targeting Ukrainian government organizations, delivering SmokeLoader — a modular malware loader used to deploy information stealers, ransomware, and other payloads. The campaigns used double-archive techniques (an outer .zip or .7z containing an inner malicious archive) to maximize compatibility with different 7-Zip configurations.

Trend Micro attributed the campaigns to Russian-aligned threat actors targeting Ukrainian organizations as part of cyber operations related to the ongoing conflict.

Remediation

1. Update 7-Zip to version 24.09 or later from 7-zip.org. 7-Zip does not auto-update — manual download and installation is required. The CISA deadline was February 27, 2025.
2. Verify your 7-Zip version: Help → About 7-Zip in the application.
3. Use Windows built-in archive extraction (right-click → Extract All) where possible — Windows' built-in extraction correctly propagates MotW to extracted files.
4. Configure email gateways to inspect and block malicious archive files. Nested archives (archive-within-archive) should be scanned to the inner level.
5. Enable SmartScreen and ensure it is not disabled by Group Policy on user endpoints — even after the 7-Zip fix, SmartScreen provides important defense-in-depth for file execution.
6. Enable Attack Surface Reduction (ASR) rules in Microsoft Defender that block executable content from email and web downloads.