## https://sploitus.com/exploit?id=4588CEE0-B221-5512-86D4-4B55989E8B6F
# CVE-2025-0411: 7-Zip MoTW Bypass Vulnerability
## Introduction
CVE-2025-0411 is a flaw in 7-Zip that bypasses Windows' Mark-of-the-Web (MoTW), allowing malicious files from crafted archives to execute without warnings. Exploited in SmokeLoader campaigns, it poses risks due to 7-Zip’s lack of auto-updates.
## What is MoTW?
MoTW marks internet-downloaded files as unsafe via an Alternate Data Stream (ADS), triggering warnings or Protected View. It’s only effective if preserved during file handling.
## Technical Details
7-Zip fails to propagate MoTW’s Zone.Identifier ADS to files extracted from nested archives, enabling silent execution of malicious content.
## Real-World Exploitation
- **Malware:** SmokeLoader campaigns, linked to UAC-0006, target Ukraine with disguised files.
- **Past Exploits:** Similar to CVE-2024-38213 and CVE-2024-21412 (DarkGate).
## Adversarial Techniques
- Use non-NTFS containers (.iso, .vhd) that don’t carry MoTW.
- Exploit archiving tools like 7-Zip to strip MoTW.
- HTML smuggling to bypass MoTW via JavaScript.
## Defensive Measures
- **Update Software:** Patch 7-Zip manually.
- **Group Policy:** Enforce MoTW handling.
- **Threat Protection:** Inspect container files.
- **User Training:** Avoid untrusted files.
## Conclusion
CVE-2025-0411 shows the danger of MoTW bypasses. With a patch available but no auto-updates, proactive updates and awareness are key to reducing risk.