7-Zip — CraftedSignal Threat Feed

7-Zip Multiple Vulnerabilities Allow Remote Code Execution

hello@craftedsignal.io — Wed, 01 Apr 2026 09:23:57 +0000

Multiple vulnerabilities have been identified in 7-Zip, a widely used file archiver. An attacker who successfully exploits these vulnerabilities could execute arbitrary program code with the privileges of the 7-Zip service. This could allow an attacker to gain elevated privileges on the system, potentially leading to complete system compromise. The vulnerabilities are present in the Windows version of 7-Zip. This issue impacts systems where 7-Zip is installed and used, especially in environments where the software is used with elevated privileges or system services. Exploitation would likely involve crafting malicious archive files or exploiting the command-line interface.

Attack Chain

The attacker identifies a vulnerable version of 7-Zip installed on a target system.
The attacker crafts a malicious archive file (e.g., .zip, .7z) specifically designed to exploit a vulnerability in 7-Zip’s parsing or extraction routines.
The attacker delivers the malicious archive to the target system, potentially via social engineering or by exploiting a separate vulnerability to gain initial access.
The user or an automated process (e.g., a script using 7-Zip) attempts to open or extract the malicious archive file using 7-Zip.
During the archive processing, the vulnerability is triggered, allowing the attacker to execute arbitrary code.
The attacker injects malicious code into the 7-Zip process, leveraging the service’s privileges to perform actions with elevated permissions.
The attacker uses the gained privileges to install malware, modify system settings, or move laterally within the network.
The attacker achieves persistence and control over the compromised system, potentially leading to data exfiltration or further attacks.

Impact

Successful exploitation of these vulnerabilities allows an attacker to execute arbitrary code with elevated privileges on the targeted system. This can lead to a complete compromise of the system, including data theft, installation of malware, and lateral movement within the network. The number of potential victims is significant due to the widespread use of 7-Zip. Sectors impacted are broad, including any organization or individual using the vulnerable software.

Recommendation

Monitor for unusual process execution originating from 7-Zip’s executable (e.g., 7z.exe, 7za.exe), using process creation logs and the Sigma rule Detect Suspicious 7-Zip Process Execution.
Implement file integrity monitoring on the 7-Zip installation directory to detect unauthorized modifications to the application binaries.
Monitor network connections originating from 7-Zip processes for suspicious or unusual outbound traffic using network connection logs.

7-Zip Vulnerability Allows File Manipulation

hello@craftedsignal.io — Wed, 01 Apr 2026 09:21:35 +0000

A vulnerability exists in 7-Zip that allows a remote, anonymous attacker to manipulate files. This vulnerability poses a risk to data integrity and could potentially be exploited to introduce malicious content or alter existing files without proper authorization. The specific version(s) of 7-Zip affected are not detailed in the source. Due to the lack of specificity of the source, defenders should treat all versions of 7-Zip as potentially vulnerable until further information is available. This is particularly relevant for systems using 7-Zip to manage sensitive data or as part of automated processes.

Attack Chain

Attacker identifies a vulnerable 7-Zip installation.
Attacker crafts a specially crafted archive file.
Attacker delivers the archive file to the target system (delivery method unspecified).
The target user or system attempts to open the archive using 7-Zip.
7-Zip processes the malicious archive, triggering the vulnerability.
The vulnerability allows the attacker to modify files on the system.
Attacker may overwrite existing files with malicious content, or inject new files.
The manipulated files can then be used to compromise the system or network further.

Impact

The successful exploitation of this vulnerability can lead to unauthorized file manipulation. This could result in data corruption, introduction of malware, or unauthorized modification of system configurations. The impact is potentially widespread, affecting any system using a vulnerable version of 7-Zip. The number of potential victims is unknown, and any sector using 7-Zip for archiving or file management is potentially at risk.

Recommendation

Monitor 7-Zip process execution for suspicious command-line arguments that may indicate exploitation attempts (see example Sigma rule below).
Implement file integrity monitoring (FIM) on critical files and directories accessed or modified by 7-Zip processes to detect unauthorized changes.
Since no specific CVE is listed, stay informed about any updates or patches released by the 7-Zip developers and apply them promptly.
If practical, analyze 7-Zip archive operations to detect file overwrites or suspicious file creation patterns (implement the second Sigma rule below).

MOTW Bypass via CAB, TAR, and 7-Zip Chaining

hello@craftedsignal.io — Thu, 19 Mar 2026 17:31:15 +0000

A new MOTW bypass technique has emerged that chains a CAB file with two TAR archives nested within a 7-Zip archive. This method effectively strips the Zone.Identifier stream from downloaded files, preventing the display of SmartScreen prompts or security warnings. Many organizations rely on MOTW and SmartScreen as a crucial layer of defense against phishing attacks. This bypass, affecting fully patched environments, allows attackers to execute arbitrary code without the usual security checks, potentially leading to malware infection or data compromise. The technique is not a rehash of older 7-Zip MOTW issues but a novel approach to evade detection based on Zone.Identifier.

Attack Chain

Attacker crafts a malicious payload.
Attacker packages the payload into a TAR archive.
The TAR archive is nested inside another TAR archive.
The nested TAR archives are then compressed into a 7-Zip archive using 7z.exe.
The 7-Zip archive is packaged into a CAB archive using makecab.exe.
The CAB archive is distributed to the victim, potentially via phishing or drive-by download.
The victim opens the CAB archive, extracting the nested 7-Zip, TAR, and payload.
The payload executes without a Zone.Identifier stream, bypassing MOTW and SmartScreen, potentially leading to malware infection or unauthorized access.

Impact

Successful exploitation allows attackers to bypass security controls that rely on MOTW and SmartScreen. This can lead to malware infections, data breaches, or other malicious activities. The bypass affects fully patched environments, increasing the scope of potential victims. The absence of security warnings makes it more likely that users will execute the malicious payload, increasing the success rate of attacks.

Recommendation

Implement detections for unusual process chains involving makecab.exe, 7z.exe, and tar.exe as these tools are used in the bypass (see Sigma rule “Detect Suspicious Archive Chaining”).
Monitor for archive extractions from unusual locations, especially those originating from downloaded CAB files, using file event logging and process monitoring (see Sigma rule “Detect Archive Extraction from Downloaded CAB”).
Analyze network connections from processes spawned from archive extractions, as they may indicate command and control or data exfiltration.
Block the URL https://youtu.be/pQxiPwGTBL8 to prevent users from accessing potentially malicious content related to this bypass.