CVE-2025-0411
7-Zip Mark-of-the-Web Bypass Vulnerability. This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of 7-Zip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of archived files. When extracting files from a crafted archive that bears the Mark-of-the-Web, 7-Zip does not propagate the Mark-of-the-Web to the extracted files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user. Was ZDI-CAN-25456.
ACTIVELY EXPLOITED IN THE WILD
This vulnerability is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
7-Zip Mark of the Web Bypass Vulnerability
7-Zip 7-Zip
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
2/6/2025
https://www.7-zip.org/history.txt ; https://nvd.nist.gov/vuln/detail/CVE-2025-0411
Vulnerability Summary
CVSS v3 Score
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score (Exploitation Probability)
This vulnerability has a 46.72% probability of being exploited in the next 30 days, ranking higher than 98% of all scored CVEs.
CWE Classification
Related Vulnerabilities
Same Weakness Type(CWE-693)
Protection mechanism failure in Windows Shell allows an unauthorized attacker to perform spoofing over a network.
Protection mechanism failure in MSHTML Framework allows an unauthorized attacker to bypass a security feature over a network.
Protection mechanism failure in Windows Shell allows an unauthorized attacker to bypass a security feature over a network.
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that if exploited, could allow an unauthenticated attacker to gain access to certain restricted functionality.
pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks postinstall scripts via the onlyBuiltDependencies mechanism, git dependencies can still execute prepare, prepublish, and prepack scripts during the fetch phase, enabling remote code execution without user consent or approval. This issue is fixed in version 10.26.0.
Similar SeverityHIGH
Improper link resolution before file access ('link following') in Microsoft Defender allows an authorized attacker to elevate privileges locally.
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
An Improper Input Validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remotely authenticated user with administrative access to achieve remote code execution.
OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can bypass SSRF protection by providing malicious photo URLs to the Zalo Bot API, enabling unauthorized access to internal resources.
OpenClaw before 2026.4.22 contains an exec allowlist analysis vulnerability allowing shell expansion hiding in unquoted heredoc bodies. Attackers can bypass allowlist validation by embedding shell expansion tokens in heredoc bodies to execute unapproved commands at runtime.
Learn More
View this score breakdown or calculate a custom score
Learn how severity scores are calculated and what they mean
Best practices for deciding which vulnerabilities to address first
Essential guide to Common Vulnerabilities and Exposures
Understand how CVEs relate to underlying weakness types