Request a Demo
Rewterz
Hackers Weaponize Word Documents Using 17-Year-Old Vulnerability – Active IOCs
April 23, 2025
Rewterz
Chinese APT Lotus Panda Compromises Southeast Asian Governments – Active IOCs
April 23, 2025

WinZip Zero-Day Enables Stealth Malware Attacks on Windows

Severity

High

Analysis Summary

A critical zero-day vulnerability in WinZip, tracked as CVE-2025-33028, allows attackers to bypass Windows' Mark-of-the-Web (MotW) security mechanism. Normally, MotW tags files downloaded from the internet, triggering security warnings upon access. However, WinZip fails to preserve this metadata during extraction, enabling malicious files such as macro-enabled Word documents to execute silently without user prompts.

The exploit is simple, an attacker compresses a harmful file into a ZIP archive and distributes it via phishing emails or compromised sites. When a victim extracts the archive using WinZip, the file appears trusted and can run undetected. This vulnerability carries a high severity impact and could lead to arbitrary code execution, privilege escalation, and data exfiltration. Alarmingly, it appears related to an earlier flaw CVE-2024-8811 indicating ongoing issues in WinZip’s handling of archive files.

Similar MotW bypass vulnerabilities have also been reported in other tools, such as 7-Zip (CVE-2025-0411) and WinRAR (CVE-2025-31334). No patch for WinZip is currently available, prompting security experts to advise against using it for untrusted archives. Users should opt for alternative tools that retain MotW tags, scan extracted files with antivirus software, and disable macro autoloading in Office apps.

In enterprise environments, implementing restrictions on executing newly extracted files and reinforcing layered defenses is recommended. This incident highlights the risks of seemingly routine tasks like file extraction and the importance of vigilant security practices.

Impact

  • Code Execution
  • Privilege Escalation
  • Data Exfiltration

Indicators of Compromise

CVE

  • CVE-2025-33028

  • CVE-2024-8811

  • CVE-2025-0411

  • CVE-2025-31334

Affected Vendors

WinZip

Affected Products

  • WinZip 76.9

Remediation

  • Avoid using WinZip for extracting files from untrusted sources and refer to WinZip Website for patch, upgrade, or suggested workaround information.
  • Use alternative archiving tools that preserve Mark-of-the-Web metadata, such as Windows’ built-in extractor.
  • Disable macro autoloading in Microsoft Office applications.
  • Scan all extracted files with updated antivirus or endpoint detection tools.
  • Educate users on phishing risks and suspicious attachments.
  • Implement application control policies to restrict execution of files from temporary or download directories.
  • Monitor file extraction activities and scan for anomalous behavior in SIEM or EDR platforms.
  • For enterprise systems, quarantine or delay execution of newly extracted files pending further inspection.
  • Regularly update all software, especially file-handling utilities, to their latest secure versions.
  • Apply group policies or endpoint hardening to enforce stricter handling of files lacking MotW metadata.