Researchers stated they lately found a zero-day vulnerability within the 7-Zip archiving utility that was actively exploited as a part of Russia’s ongoing invasion of Ukraine.

The vulnerability allowed a Russian cybercrime group to override a Home windows safety designed to restrict the execution of recordsdata downloaded from the Web. The protection is usually often known as MotW, quick for Mark of the Web. It really works by putting a “Zone.Identifier” tag on all recordsdata downloaded from the Web or from a networked share. This tag, a kind of NTFS Alternate Information Stream and within the type of a ZoneID=3, topics the file to further scrutiny from Home windows Defender SmartScreen and restrictions on how or when it may be executed.

There’s an archive in my archive

The 7-Zip vulnerability allowed the Russian cybercrime group to bypass these protections. Exploits labored by embedding an executable file inside an archive after which embedding the archive into one other archive. Whereas the outer archive carried the MotW tag, the internal one didn’t. The vulnerability, tracked as CVE-2025-0411, was mounted with the discharge of model 24.09 in late November.

“The foundation reason for CVE-2025-0411 is that previous to model 24.09, 7-Zip didn’t correctly propagate MoTW protections to the content material of double-encapsulated archives,” wrote Peter Girnus, a researcher at Development Micro, the safety agency that found the vulnerability. “This permits menace actors to craft archives containing malicious scripts or executables that won’t obtain MoTW protections, leaving Home windows customers susceptible to assaults.”