A newly discovered vulnerability in WinZip, a popular file compression and archiving utility, has raised alarms among cybersecurity experts.
Identified as CVE-2025-1240, this critical flaw allows remote attackers to execute arbitrary code on a victim’s system under specific conditions. Users are strongly advised to update their software to mitigate the risk.
The vulnerability, disclosed under ZDI-25-047 and ZDI-CAN-24986, stems from an issue in the parsing of 7Z files—a file format commonly associated with compressed archives.
Improper validation of user-supplied data can result in an out-of-bounds write, enabling attackers to potentially execute malicious code in the current process.
This flaw has earned a CVSS score of 7.8 (High), reflecting its severity and potential impact on confidentiality, integrity, and availability.
For the attack to succeed, user interaction is required, such as opening a malicious 7Z file or visiting a hosting webpage.
Despite requiring user interaction, the possibility of executing arbitrary code makes this vulnerability highly dangerous, particularly as it could lead to full system compromise if exploited successfully.
As per a report by Zero Day Initiative, the vulnerability was initially reported to the vendor, WinZip Computing, on September 4, 2024.
Following months of investigation and remediation efforts, an official patch was released as part of WinZip 29.0.
The advisory was publicly disclosed on January 20, 2025, and later updated on February 11, 2025, to include further clarifications.
To address the issue, users are strongly urged to update their software to WinZip 29.0 or later.
The update incorporates fixes to the parsing mechanism, ensuring better validation and secure handling of 7Z files.
The discovery of the flaw has been credited to an anonymous researcher.
The incident highlights the persistent need to ensure software security, particularly for widely used utilities like WinZip.
As cyber threats evolve, users must remain vigilant and proactive in applying security patches.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
Ivanti has issued an urgent security advisory for CVE-2025-22457, a critical vulnerability impacting Ivanti Connect…
A concerning malware campaign was disclosed by the AhnLab Security Intelligence Center (ASEC), revealing how…
EncryptHub, a rapidly evolving cybercriminal entity, has come under intense scrutiny following revelations of operational…
A sophisticated phishing campaign, dubbed "PoisonSeed," has been identified targeting customer relationship management (CRM) and…
A surge in phishing text messages claiming unpaid tolls has been linked to a massive…
The State Bar of Texas has confirmed a data breach following the detection of unauthorized…