CVE-2025-0411
HIGH KEV7-Zip 24.09 - Mark-of-the-Web Bypass Code Execution
Title source: manualExploitation Summary
CVE-2025-0411 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added February 6, 2025. EIP tracks 8 public exploits from researchers including dhmosfunk, adminlove520, t0x1nsec.
AI-analyzed exploit summary This repository contains a proof-of-concept exploit for CVE-2025-0411, a Mark-of-the-Web bypass vulnerability in 7-Zip. The exploit demonstrates how a crafted archive can bypass security warnings, allowing arbitrary code execution via a shellcode loader.
Description
7-Zip Mark-of-the-Web Bypass Vulnerability. This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of 7-Zip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of archived files. When extracting files from a crafted archive that bears the Mark-of-the-Web, 7-Zip does not propagate the Mark-of-the-Web to the extracted files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user. Was ZDI-CAN-25456.
Exploits (8)
This repository contains a proof-of-concept exploit for CVE-2025-0411, a Mark-of-the-Web bypass vulnerability in 7-Zip. The exploit demonstrates how a crafted archive can bypass security warnings, allowing arbitrary code execution via a shellcode loader.
This repository contains functional exploit code for multiple CVEs, including authentication bypass vulnerabilities in TOTOLINK devices and a scanner for Fortinet SSL VPN (CVE-2024-21762). The PoCs demonstrate real-world exploitation techniques with clear technical details.
The repository contains a functional proof-of-concept exploit for CVE-2025-0411, which bypasses the Mark-of-the-Web protection mechanism in 7-Zip versions before 24.09. The exploit involves a double-compressed archive that, when extracted, does not propagate the MotW flag, allowing arbitrary code execution via a shellcode loader (calc.exe).
This PoC demonstrates CVE-2025-0411, a Mark-of-the-Web bypass in 7-Zip versions before 24.09. It includes a loader that executes calc.exe via shellcode, showcasing how extracted files lose their MotW, enabling arbitrary code execution.
This PoC exploits CVE-2025-0411 by executing a shellcode payload via memory allocation and thread creation. The README suggests it requires user interaction and leverages a lack of MotW (Mark of the Web) in versions before 24.09.
This PoC demonstrates CVE-2025-0411, a vulnerability in 7-Zip that bypasses Windows' Mark-of-the-Web (MoTW) by exploiting nested archive extraction. It compiles a C++ executable containing shellcode and compresses it into nested 7z archives to trigger the vulnerability.
The repository claims to be a PoC for CVE-2025-0411 but instead promotes a cheating tool for the game Rust, with no actual exploit code or technical details related to the CVE. The download links and content are misleading and unrelated to the stated vulnerability.
This repository contains only a README file describing CVE-2025-0411, a 7-Zip Mark-of-the-Web bypass vulnerability. No exploit code or technical details are provided.
References (6)
Scores
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H