CyberSecurityBoard
Sponsor Register Login

WinZip MotW Bypass Vulnerability Let Hackers Execute Malicious Code Silently

The exploitation process is straightforward: attackers create a malicious file (such as a .docm file with dangerous macros), compress it into an archive, distribute it via phishing or compromised websites, and when victims extract it using WinZip, the extracted files execute without triggering the usual security warnings. Cybersecurity researchers have discovered a critical vulnerability in WinZip that enables attackers to bypass Windows’ Mark-of-the-Web (MotW) security feature, potentially allowing malicious code to execute without warning on victims’ computers. “When extracting files from an internet-downloaded ZIP archive, WinZip doesn’t propagate the MotW tag to the extracted files,” explained security researcher Enis Aksu, who discovered the vulnerability. Similar MotW bypass vulnerabilities have recently affected other popular archive utilities, including 7-Zip (CVE-2025-0411) and WinRAR (CVE-2025-31334), indicating a troubling trend in archive software security that attackers exploit. Mark-of-the-Web is a Windows security mechanism that flags files downloaded from the internet, triggering warnings when users attempt to open potentially dangerous content. “This allows dangerous files like macro-enabled Office documents to run without security alerts, creating a silent attack vector”. This vulnerability is particularly concerning because it allows attackers to bypass a fundamental Windows security control with minimal technical expertise.

This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 22 Apr 2025 03:00:12 +0000


Cyber News related to WinZip MotW Bypass Vulnerability Let Hackers Execute Malicious Code Silently

WinZip MotW Bypass Vulnerability Let Hackers Execute Malicious Code Silently - The exploitation process is straightforward: attackers create a malicious file (such as a .docm file with dangerous macros), compress it into an archive, distribute it via phishing or compromised websites, and when victims extract it using WinZip, ...
1 month ago Cybersecuritynews.com CVE-2025-0411
WinZip Vulnerability Let Remote Attackers Execute Arbitrary Code - A newly disclosed high-severity vulnerability in WinZip, tracked as CVE-2025-1240, enables remote attackers to execute arbitrary code on affected systems by exploiting malformed 7Z archive files. Security firm Zero Day Initiative (ZDI) detailed the ...
4 months ago Cybersecuritynews.com CVE-2025-1240 CVE-2025-21298 CVE-2025-0108
WinRAR 7.10 boosts Windows privacy by stripping MoTW data - This allows the Mark-of-the-Web security feature to continue to work with extracted files, but the alternate data stream can no longer be used to learn where the file was downloaded. Modern file archives will propagate the MoTW found in archives to ...
4 months ago Bleepingcomputer.com
WinRAR flaw bypasses Windows Mark of the Web security alerts - A vulnerability in the WinRAR file archiver solution could be exploited to bypass the Mark of the Web (MotW) security warning and execute arbitrary code on a Windows machine. Mark of the Web is a security function in Windows in the form of a metadata ...
2 months ago Bleepingcomputer.com
CVE-2004-0333 - Buffer overflow in the UUDeview package, as used in WinZip 6.2 through WinZip 8.1 SR-1, and possibly other packages, allows remote attackers to execute arbitrary code via a MIME archive with certain long MIME parameters. This was fixed in WinZip 8.1 ...
7 years ago
WinRAR "Mark of the Web" Bypass Vulnerability Let Attackers Arbitrary Code - A newly disclosed vulnerability in WinRAR allows attackers to bypass a core Windows security mechanism, enabling arbitrary code execution on affected systems. The patch rollout highlights the ongoing challenges archiving tools face in balancing ...
2 months ago Cybersecuritynews.com CVE-2025-31334
Unpatched Windows Shortcut Vulnerability Let Attackers Execute Remote Code - Security researcher Nafiez has publicly disclosed a previously unknown vulnerability affecting Windows LNK files (shortcuts) that can potentially allow attackers to execute code remotely without user interaction. As security researchers from Intezer ...
1 month ago Cybersecuritynews.com
How Hackers Interrupted GTA 5 Online Gameplay on PC - Recently, a cyber-attack on Grand Theft Auto 5 Online on PC caused an interruption to thousands of players’ gameplays. The game was completely taken offline and players couldn’t even access the main gameplay menu. The attack caused an uproar ...
2 years ago Hackread.com
Weekly Cyber Security News Letter - Last Week's Top Cyber Attacks & Vulnerabilities - A critical vulnerability in Windows Defender Application Control (WDAC) has been uncovered, allowing attackers to bypass strict security policies using WinDbg Preview, a Microsoft Store app. A vulnerability in the FireEye EDR agent allows attackers ...
1 month ago Cybersecuritynews.com Hunters Akira
4500+ WordPress Sites Hacked with a Monero Cryptojacking Campaign - Security researchers recently reported the discovery of a massive Monero hacking campaign targeted at WordPress sites. According to reports, more than 4500 WordPress sites were compromised with a malicious cryptocurrency-mining campaign. The hackers ...
2 years ago Thehackernews.com
CVE-2024-8811 - WinZip Mark-of-the-Web Bypass Vulnerability. This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of WinZip. User interaction is required to exploit this vulnerability in that the ...
6 months ago Tenable.com
CVE-2025-33028 - In WinZip through 29.0, there is a Mark-of-the-Web Bypass Vulnerability because of an incomplete fix for CVE-2024-8811. This vulnerability allows attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of WinZip. User ...
2 months ago
Booking.com hackers increase attacks on customers - Hackers are increasing their attacks on Booking.com customers by posting adverts on dark web forums asking for help finding victims. Cyber-criminals are offering up to $2,000 for login details of hotels as they continue to target the people who are ...
1 year ago Bbc.com
Holiday Hackers: How to Safeguard Your Service Desk - Hackers really don't take holidays, but they will take advantage of them. Many of these cyberattacks will zero in on the service or help desk to gain entry into network systems. Recovering accounts because of forgotten passwords is one of the ...
1 year ago Bleepingcomputer.com
Hackers Fix Polish Train Glitch, Face Legal Pushback by the Manufacturer - In a recent cybersecurity incident, three Polish hackers achieved success in repairing the malfunctioning software of a train, initially serviced by independent repair shops for a regional rail operator. The narrative took a twist when accusations ...
1 year ago Hackread.com
North Korean Hackers Use Fake Job Offers & Salary Bumps as Lure for Crypto Theft - Recent investigations have uncovered a massive operation carried out by North Korean hackers looking to steal cryptocurrency through fake job offers and salary bumps. According to recent reports, hackers have been able to trace the malicious ...
2 years ago Therecord.media
Hacker Conversations: Chris Evans, Hacker and CISO - Chris Evans is CISO and chief hacking officer at HackerOne. SecurityWeek's Hacker Conversations series seeks to understand the mind and motivations of hackers by talking to hackers. Evans challenges the common perception of both hackers and their ...
11 months ago Securityweek.com Silence
How Russian Hackers Attack Samsung Devices – A Comprehensive Guide - Samsung devices have become all the rage around the globe. Unfortunately, their popularity also attracts the attention of hackers and other cybercriminals who take advantage of them to spread their malicious codes and conduct their illegal ...
2 years ago Heimdalsecurity.com
CVE-2006-3890 - Stack-based buffer overflow in the Sky Software FileView ActiveX control, as used in WinZip 10 before build 7245 and in certain other applications, allows remote attackers to execute arbitrary code via a long FilePattern attribute in a WZFILEVIEW ...
6 years ago
CVE-2007-0264 - Buffer overflow in Winzip32.exe in WinZip 9.0 allows local users to cause a denial of service (application crash) and possibly execute arbitrary code via a long command line argument. NOTE: this issue may cross privilege boundaries if an application ...
16 years ago
Chinese Hackers Turn To Golang For Malware - Chinese hackers are increasingly turning to the open-source programming language Golang to maliciously code and launch new cyberattacks. According to the latest analysis by The Hacker News, this has resulted in an increase in the number of cyber ...
2 years ago Thehackernews.com BlackTech Carbanak
Microsoft: BlueNoroff hackers plan new crypto-theft attacks - Microsoft warns that the BlueNoroff North Korean hacking group is setting up new attack infrastructure for upcoming social engineering campaigns on LinkedIn. This financially motivated threat group also has a documented history of cryptocurrency ...
1 year ago Bleepingcomputer.com
The Unlikely Romance of Hackers and Government Suitors - The annual Hack the Capitol event brings together a diverse group of scientists, hackers, and policymakers to educate congressional staffers, scholars, and the press about the most critical cybersecurity challenges facing our nation. Hack the Capitol ...
1 year ago Darkreading.com
Russian hackers use Ngrok feature and WinRAR exploit to attack embassies - After Sandworm and APT28, another state-sponsored Russian hacker group, APT29, is leveraging the CVE-2023-38831 vulnerability in WinRAR for cyberattacks. APT29 is tracked under different names and has been targeting embassy entities with a BMW car ...
1 year ago Bleepingcomputer.com CVE-2023-38831 APT28 APT29
China-linked hackers target European healthcare orgs in suspected espionage campaign | The Record from Recorded Future News - A previously unknown hacking group has been spotted targeting European healthcare organizations using spyware linked to Chinese state-backed hackers and a new ransomware strain, researchers said. The hackers, dubbed Green Nailao, deployed ShadowPad ...
4 months ago Therecord.media

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)