Tuesday, April 1, 2025
HomeCVE/vulnerabilityWinZip Vulnerability Allows Remote Attackers to Execute Arbitrary Code

WinZip Vulnerability Allows Remote Attackers to Execute Arbitrary Code

Published on

SIEM as a Service

Follow Us on Google News

A newly discovered vulnerability in WinZip, a popular file compression and archiving utility, has raised alarms among cybersecurity experts.

Identified as CVE-2025-1240, this critical flaw allows remote attackers to execute arbitrary code on a victim’s system under specific conditions. Users are strongly advised to update their software to mitigate the risk.

Key Details of the Vulnerability

The vulnerability, disclosed under ZDI-25-047 and ZDI-CAN-24986, stems from an issue in the parsing of 7Z files—a file format commonly associated with compressed archives.

Improper validation of user-supplied data can result in an out-of-bounds write, enabling attackers to potentially execute malicious code in the current process.

This flaw has earned a CVSS score of 7.8 (High), reflecting its severity and potential impact on confidentiality, integrity, and availability.

For the attack to succeed, user interaction is required, such as opening a malicious 7Z file or visiting a hosting webpage.

Despite requiring user interaction, the possibility of executing arbitrary code makes this vulnerability highly dangerous, particularly as it could lead to full system compromise if exploited successfully.

As per a report by Zero Day Initiative, the vulnerability was initially reported to the vendor, WinZip Computing, on September 4, 2024. 

Following months of investigation and remediation efforts, an official patch was released as part of WinZip 29.0. 

The advisory was publicly disclosed on January 20, 2025, and later updated on February 11, 2025, to include further clarifications.

To address the issue, users are strongly urged to update their software to WinZip 29.0 or later.

The update incorporates fixes to the parsing mechanism, ensuring better validation and secure handling of 7Z files.

The discovery of the flaw has been credited to an anonymous researcher.

The incident highlights the persistent need to ensure software security, particularly for widely used utilities like WinZip.

As cyber threats evolve, users must remain vigilant and proactive in applying security patches.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Massive 400GB X (Twitter) Data Leak Surfaces on Hacker Forums

A colossal 400GB trove containing data from 2.873 billion X (formerly Twitter) users has...

PortSwigger Launches Burp AI to Enhance Penetration Testing with AI

PortSwigger, the makers of Burp Suite, has taken a giant leap forward in the...

Chord Specialty Dental Partners Data Breach Exposes Customer Personal Data

Chord Specialty Dental Partners is under scrutiny after revealing a data breach that compromised...

Kentico Xperience CMS XSS Vulnerability Allows Remote Code Execution

Kentico Xperience CMS, a widely used platform designed for enterprises and organizations, is under...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Massive 400GB X (Twitter) Data Leak Surfaces on Hacker Forums

A colossal 400GB trove containing data from 2.873 billion X (formerly Twitter) users has...

PortSwigger Launches Burp AI to Enhance Penetration Testing with AI

PortSwigger, the makers of Burp Suite, has taken a giant leap forward in the...

Chord Specialty Dental Partners Data Breach Exposes Customer Personal Data

Chord Specialty Dental Partners is under scrutiny after revealing a data breach that compromised...