7-Zip 0-Day Flaw Added to CISA’s List of Actively Exploited Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical 0-day vulnerability affecting the popular file compression utility, 7-Zip, to its Known Exploited Vulnerabilities (KEV) Catalog.

The vulnerability, identified as CVE-2025-0411, highlights a severe flaw that allows attackers to bypass the Mark-of-the-Web (MotW) security feature and execute arbitrary code on targeted systems.

Details of the 7-Zip Vulnerability

The flaw in question is a protection mechanism failure that compromises 7-Zip’s ability to enforce the Mark-of-the-Web security feature.

MotW is a key defense mechanism in Windows that flags files downloaded from untrusted sources, restricting potentially harmful actions.

CVE-2025-0411 exploits this weakness, enabling remote attackers to bypass these safeguards. Once exploited, the attacker can execute arbitrary code within the context of the current user, potentially leading to data theft, system compromise, and other malicious activities.

The vulnerability has been categorized under Common Weakness Enumeration (CWE) 693, which is specific to protection mechanism failures.

While there is no confirmation yet that the flaw has been utilized in ransomware campaigns, experts are urging organizations to take the threat seriously.

CISA’s Action Plan and Recommendations

CISA has included CVE-2025-0411 in its KEV catalog to raise awareness and prompt action among organizations.

The KEV catalog considered an authoritative source for vulnerabilities being actively exploited in the wild, serves as a critical tool for vulnerability management prioritization. Organizations are strongly advised to:

1. Apply Mitigations: Follow instructions provided by the vendor to implement recommended patches or mitigations. At the time of reporting, users are awaiting an official fix from the 7-Zip development team.
2. Discontinue Use: If mitigations are unavailable or patching is not immediately possible, organizations should discontinue using 7-Zip to eliminate the risk.

CISA has set a remediation deadline of February 27, 2025, for federal agencies to address this vulnerability and ensure impacted systems are secured.

The inclusion of the 7-Zip vulnerability in the KEV catalog underscores the increasing sophistication of attack vectors targeting widely used software.

Security experts warn that this vulnerability could easily become a favorite among threat actors due to 7-Zip’s widespread adoption across industries.

As more vulnerabilities are exploited, CISA’s KEV catalog remains a crucial resource for cybersecurity professionals to stay informed and act quickly against emerging threats.

Organizations are encouraged to integrate the catalog into their vulnerability management frameworks to enhance their defenses. 

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free