Zero Day 7-Zip Vulnerability exploited to target Ukrainian Organizations

Executive Summary

On October 1, 2024, a severe vulnerability was discovered in 7-Zip. The weakness allows homoglyph attacks by circumventing the Mark-of-the-Web (MOTW) security mechanism. This zero day vulnerability was exploited during a cyberespionage campaign targeting Ukraine. To mitigate, 7-Zip should be updated to version 24.09 and additional security measures should be implemented to strengthen security defenses. 

Background

The 7-Zip tool is a file compression and extraction tool that incorporates a Mark-of-the-Web security feature [4]. This feature prevents accidental execution of files downloaded from the Internet, and enables Microsoft Defender SmartScreen to perform additional security checks. However, a failed security mechanism of the Mark-of-the-Web (MOTW) in double-encapsulated archives allows attackers to bypass these security checks, executing malicious archives [3].

CVE-2025-041, a severe vulnerability was discovered in 7-Zip on October 1, 2024. The weakness allows homoglyph attacks by circumventing MOTW. Russian cybercrime groups were able to exploit the vulnerability in spear phishing campaigns [2]. On September 25, 2024, they deployed the SmokeLoader malware through homoglyph attacks. This type of cyberattack manipulates typography to trick users into opening a malicious file or link that looks legitimate. A patch was released on November 30, 2024. 

Exploitation

Exploitation of CVE-2025-0411 is dependent on the user’s action [1]. The vulnerability doubles archive contents within 7-Zip. This allows attackers to execute malicious archives without the MOTW security. Russian cybercrime groups leveraged this vulnerability by using compromised email accounts, which are spoofed using homoglyph attacks. Since the emails appear legitimate, this increases the chances of user interaction.

Significance and Impact

CVE-2025-04, has a CVSS severity score of 7, which is a high risk vulnerability [6]. Execution of malicious files without the MOTW security and the warnings from the Microsoft Defender SmartScreen allows attackers to gain unauthorized access to sensitive data and possibly denial of service [7]. Smaller local governments are often targeted since they lack cybersecurity expertise and the resources for building a cybersecurity strategy. Attackers can take advantage of these smaller entities, infiltrating larger government organizations.

Mitigation

Mitigations address potential vulnerabilities associated with older versions of 7-Zip. Two scripts have been made by Mortem to allow for the immediate prevention of affected 7-Zip installations. The first script disables 7-Zip, preventing access through the Windows Search [5]. This ensures users cannot accidentally or intentionally bypass MOTW security. The second script detects installed versions of 7-Zip. This addresses the security issues associated with CVE-2025-0411, updating 7-Zip to version 24.09 to minimize exposure. Other mitigations include knowing potential signs of phishing, applying email security, using URL and domain filtering, and disabling automatic file execution. These strengthen overall security, reducing chances of exploitation.

Conclusion

Russian cybercrime groups have exploited CVE-2025-04 to target Ukraine since September 2024. This allowed them to use affected 7-Zip installations to bypass security mechanisms. It’s crucial to update to version 24.09 and apply best security practices to mitigate this vulnerability. 

References

[1] Coopersmith, A. (2025, January 24). “7-Zip Mark-of-the-Web Bypass Vulnerability on Windows platforms.” Openwall. https://www.openwall.com/lists/oss-security/2025/01/24/6

[2] Girnus, P. (2025, February 04). “CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks.” Trendmicro. https://www.trendmicro.com/en_us/research/25/a/cve-2025-0411-ukrainian-organizations-targeted.html?cjdata=MXxOfDB8WXww&PID=100017430&SID=100098X1555750X114ca7783c953e73234559d09814cd41&cjevent=d797aa6aed0e11ef82aa02260a1cb828

[3] MITRE. (n.d.). “CWE-693: Protection Mechanism Failure.” MITRE. https://cwe.mitre.org/data/definitions/693.html

[4] Mortem. (2025, January 28). “CVE-2025-0411 Detection 7-zip Vulnerability.” VSociety. https://www.vicarius.io/vsociety/posts/cve-2025-0411-detection-7-zip-vulnerability

[5] Mortem. (2025, February 02). “CVE-2025-0411 7-zip Mitigation Vulnerability.” VSociety. https://www.vicarius.io/vsociety/posts/cve-2025-0411-7-zip-mitigation-vulnerability

[6] National Institute of Standards and Technology (2025, January 25). “CVE-2025-0411.” National Vulnerability Database. https://nvd.nist.gov/vuln/detail/CVE-2025-0411

[7] NetApp. (2025, February 07). “CVE-2025-0411 7-Zip Vulnerability in NetApp Products.” NetApp. https://security.netapp.com/advisory/ntap-20250207-0005/