7-Zip Mark of the Web Bypass Vulnerability
7-Zip contains a protection mechanism failure vulnerability that allows remote attackers to bypass the Mark-of-the-Web security feature to execute arbitrary code in the context of the current user.
A local attacker, without authentication, can achieve full data confidentiality loss, arbitrary modification of data, complete denial of service or system unavailability. Federal agencies are required to remediate by 2025-02-27 under CISA BOD 22-01.
This is a Software Vulnerability (CWE-693) (CWE-693) vulnerability in 7-Zip 7-Zip. 7-Zip Mark-of-the-Web Bypass Vulnerability. This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of 7-Zip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of archived files. When extracting files from a crafted archive that bears the Mark-of-the-Web, 7-Zip does not propagate the Mark-of-the-Web to the extracted files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user. Was ZDI-CAN-25456. Exploitation requires local access, higher attack complexity, no authentication required, and user interaction required.
Probably yes if any of these apply:
CISA added this CVE to the Known Exploited Vulnerabilities catalog on 2025-02-06 based on evidence of active exploitation in the wild. Federal agencies required to remediate by 2025-02-27.
Manual remediation steps
Apply the Vendor Patch
This vulnerability is in the CISA Known Exploited Vulnerabilities catalog — apply the vendor's security update as soon as possible.
CISA required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
References
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.
References