The Ultimate Guide To Cybersecurity In The Real World. - Register Here
The Ultimate Guide To Cybersecurity In The Real World. - Register Here
Schedule a Consultation
Hoplon InfoSec Logo
  • Products
  • Services

Hoplon Infosec · Threat Intelligence

7 Zip Vulnerability 2025: Hidden Flaw Giving Hackers Full Control

ByRadia
Published10 Oct, 2025
7 Zip Vulnerability 2025: Hidden Flaw Giving Hackers Full Control
Radia10 Oct, 2025

I once downloaded a ZIP file that I thought was just a harmless bill. I opened it, 7-Zip opened, I extracted the files, and everything seemed fine until my coworker's endpoint scanner started yelling. The recent 7-Zip story is all about that moment of peace before the alarm goes off.

 The headline accurately reflects the situation: a 7-Zip vulnerability in 2025 allows hackers to circumvent Windows' security measures and execute code on your computer.

Why this is important  

This flaw gets around the Windows Mark-of-the-Web protection, which is the small safety flag that Windows uses to let you know when a file came from the internet. In simple terms, it means that a harmful file inside an archive can look safe after you extract it and trick you into running it. That is what made this 7-Zip vulnerability 2025 both smart and risky.

What happened: the discovery and the timeline

In late 2024, the vulnerability was reported privately, and in January 2025, when the Zero Day Initiative published its advisory and gave the issue the CVE-2025-0411 number, it was made public. The advisory says that extracting a specially made archive with the internet-origin mark does not keep that mark on the files that were extracted, so they act like files that were made on the computer.

Security teams had already seen proof-of-concept code and limited use in the wild by the time public reports came out. The coordinated disclosure and the CVE entry made it easy for defenders to find patches and more information. The official 7-Zip changelog and vendor pages say that the problem was fixed in the 24.09 release, so on paper, the easy fix is to update.

How attackers used it in the real world

This wasn't just something that scientists were interested in. Trend Micro's research connected the flaw to targeted campaigns that sent SmokeLoader and other similar loaders to Ukrainian organizations. These campaigns used tricks like homoglyphs in filenames and nested archives to hide the payload. That pattern changes a normal ZIP extraction into a way to send something to a specific person.

An attacker makes an archive that looks like it came from the internet. This is what exploit chains looked like. When a user extracts nested files with older versions of 7-Zip that have security holes, the extracted files lose their Mark-of-the-Web flag.

Windows won't show the usual "this file may be unsafe" warning without that flag, so people or automated processes might run the file. The lack of friction is what lets a 7-Zip vulnerability in 2025 turn curiosity into compromise.

What the numbers and warnings say

Security trackers gave this a CVSS base score of about 7.0 and said it was very serious because it could let arbitrary code run in the user's context.

The Zero Day Initiative's advisory and the NVD entry give a short overview of the technical root cause and the versions that were affected. Later, CISA added the CVE to its Known Exploited Vulnerabilities list, marking it for urgent attention. Those are the official signals that most teams follow.

Why nested archives made things worse: an example

You can think of nested archives as Matryoshka dolls. You expect the same care to be taken with each layer you take off, like labels, warnings, and so on. But because of this mistake, the outer doll has a warning tag, and the inner doll does not.

You can't find the safe-handling marks anymore by the time you get to the real toy. This was used by attackers to hide dangerous files several layers deep, making a normal extraction into a trap. The phrase "7-Zip vulnerability 2025" means that there is a real risk.

Who got hit, and why wasn't it just random noise?

Reports showed that attacks were aimed at both government and private sector targets, with Ukraine being one of the first and most obvious targets. Attackers seemed to like stealthy loaders that depend on user action instead of loud exploits that try to break through privilege boundaries.

That way of doing things makes it less likely that they'll be found and fits the "deliver, wait, execute" model that many groups that steal information or spy on others like. The Trend Micro analysis gives the most detailed public breakdown of those campaigns.

The easy fix is to update now, but keep in mind the catch.
The good news is that the 7-Zip team fixed the problem in the 24.09 release. This means that installing that version or later will close the hole. Because 7-Zip doesn't update itself automatically, many advisories and vendor pages say to update it right away by hand.

If you manage endpoints from one place, push 24.09 or later, or take 7-Zip off of places where it isn't needed. That is the easiest and safest way to stop this specific 7-Zip vulnerability from 2025 from being used to attack your environment.

Screenshot 2025-10-10 143645

If you can't patch right away, here are some practical ways to protect yourself:

If a quick update isn't possible, use layered mitigations: Limit the users who can run archivers, stop extracting nested archives from untrusted sources, allow and check email and web gateway scanning for nested archives, and make the execution policy for files taken from temporary folders stricter.

You can also keep an eye out for strange use of archive tools and flag any processes that start network connections after extraction. These steps make it less likely that a loose file will be run, even if the archiver is still open to attack. Several CERTs and SOC advisories put out similar temporary controls.

A brief list for system administrators and power users

1. Look at the versions of 7-Zip that are already installed. If < 24.09, make plans to update right away.

2. Get the official installer from the 7-Zip website and check the checksums.

3. Don't open email attachments that have nested archives in them until they have been scanned.

4. Teach users not to run extracted executables without first scanning them. Real stories show that users are the ones who make the final decision.

 5. Look for signs of SmokeLoader or other similar loaders in your logs.

Screenshot 2025-10-10 143428

Imagine a small accounting firm where someone gets an email that looks like a ZIP file with a vendor invoice. They unzip it with an old version of 7-Zip, click on an EXE file inside that says it is an invoice helper, and all of a sudden the attacker has access to a workstation that can talk to the company network.

These aren't Hollywood-style attacks; they're low-effort, repetitive intrusions that depend on a moment of trust. That's why even "simple" archiver bugs can lead to real breaches. The 7-Zip vulnerability in 2025 made this situation go from being just a theory to something that actually happened.


Bigger lesson: attackers prefer things that are easy to use to things that are hard to use.

Attackers take the easiest route. A slowly patched defensive gap is an invitation. In this case, the vulnerability didn't need to gain more privileges or damage memory in a complicated way; it took advantage of a workflow assumption.

Attackers build an exploit on the assumption that the chain of custody for a file stays intact during extraction. This is a reminder to build security that takes into account the fact that mistakes will happen and to include detection and containment.

Final thoughts and things to do

If you are in charge of endpoints, this is very important. Update 7-Zip to version 24.09 or later, check that gateway scanning is working, and teach teams to be careful with nested archives. If you are in charge of a security or incident team, look for signs of SmokeLoader and check any strange processes that happened after the extraction in the weeks leading up to the update. When a simple patch is available, quick, useful steps are better than long plans.

Trusted source

Primary advisory and technical details: Zero Day Initiative ZDI-25-045 (CVE-2025-0411).

Hoplon Insight Box

Patch now: All endpoints need to have 7-Zip 24.09 or later installed. Verify that downloads are real.
Make the workflow stronger by blocking nested archives at mail and web gateways or sending them to sandbox scanners.
Limit execution: Use app control to stop users from running untrusted executables that have been extracted to temporary folders.
Hunt and monitor: Look through logs for signs of SmokeLoader and for strange child processes that start up after you extract an archive.
Training users: Tell them to stop, scan, and ask. Using social engineering is still the easiest way to hack into a system.

Hoplon Infosec's Endpoint Security service protects your devices by quickly fixing security holes, blocking attacks, and keeping an eye on your systems to stop threats like the 7-Zip vulnerability 2025 before they can do any damage.

About the author

R

Radia

Was this useful?

React, leave a note, or share it forward.

Leave a note

Share this article

Share this :

Free · Weekly · No noise

Get the threats that matter, before they reach you.

One short email a week with the breaches, zero-days, and fixes worth your attention — written in plain English, no fear-mongering.

Hoplon InfoSec Logo
Address : 1415 West 22nd Street, Tower Floor, Oak Brook, IL 60523

Phone : +1 (773) 904-3136

Email : info@hoploninfosec.com

Services

  • Penetration Testing
  • Cyber Security Assessment
  • AI Development
  • Incident Readiness & Response Recovery

Products

  • IBM Flash Storage Solutions
  • Mobile Security
  • Endpoint Security
  • Deep and Dark Web Monitoring

Sign Up For Newsletter

Get the latest updates on new products and upcoming news

Copyright © Hoplon InfoSec, LLC and its group of companies.
About usContact usTerms & ConditionsCookie PolicyPrivacy Policy
03Latest posts

Keep reading.

SonicWall SMA1000 Zero-Day Vulnerabilities: Patch Now
15 Jul, 2026

SonicWall SMA1000 Zero-Day Vulnerabilities: Patch Now

SonicWall SMA1000 zero-day vulnerabilities are under active attack. See affected versions, CVE details, IOC checks and the patch you need right now.

Read More
Windows 11 KB5101650 Dell Issue: Causes and Full Fix Guide
15 Jul, 2026

Windows 11 KB5101650 Dell Issue: Causes and Full Fix Guide

Windows 11 KB5101650 is blocked on some Dell PCs after an Intel driver conflict triggered shutdowns and overheating. Here is what happened and what to do.

Read More
OFAC Sanctions First VPN Service Over Ransomware
14 Jul, 2026

OFAC Sanctions First VPN Service Over Ransomware

Learn why OFAC sanctioned First VPN Service and a malware cryptor seller, how 1VPNS helped ransomware groups, and how to defend against FSB router attacks.

Read More
CVE-2026-57807: Critical WordPress SSO Flaw Explained
13 Jul, 2026

CVE-2026-57807: Critical WordPress SSO Flaw Explained

CVE-2026-57807 affects miniOrange OAuth SSO through 38.5.8. Learn who is exposed, how the flaw works, plus safe mitigation and incident response steps.

Read More
Mobile App Security Guide: Risks, Fixes and Best Practices
13 Jul, 2026

Mobile App Security Guide: Risks, Fixes and Best Practices

Mobile app security explained simply, covering real risks, OWASP threats, encryption and practical steps to protect any app from hackers.

Read More
Apple OpenAI Lawsuit: Inside the Trade Secret Theft Claims
13 Jul, 2026

Apple OpenAI Lawsuit: Inside the Trade Secret Theft Claims

Apple OpenAI lawsuit explained. See what Apple accuses Tang Tan, Chang Liu and OpenAI of stealing, and what it means for hardware security.

Read More