CVE-2025-0411

HighCISA KEVActive Exploitation

Published: 25 January 2025

Published

25 January 2025

Modified

27 October 2025

KEV Added

06 February 2025

Patch

—

CVSS Score 7.0 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.5241 97.9th percentile

Risk Priority 65 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0411 is a high-severity Protection Mechanism Failure (CWE-693) vulnerability in Netapp Active Iq Unified Manager. Its CVSS base score is 7.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Mark-of-the-Web Bypass (T1553.005); ranked in the top 2.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-16 (Security and Privacy Attributes) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Mark-of-the-Web Bypass (T1553.005). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Flaw remediation requires timely patching of 7-Zip to fix the failure to propagate Mark-of-the-Web to extracted files, directly preventing exploitation of CVE-2025-0411.

AC-16 Security and Privacy Attributes good match

prevent

Security and privacy attributes control mandates proper assignment and propagation of markings like Mark-of-the-Web during archive extraction, addressing the core bypass mechanism.

SI-3 Malicious Code Protection partial match

preventdetect

Malicious code protection scans and blocks arbitrary code execution from extracted files that evade Mark-of-the-Web, providing defense-in-depth against successful exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1553.005 Mark-of-the-Web Bypass Defense Impairment

Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls.

attack.mitre.org →

Why these techniques?

CVE explicitly describes a Mark-of-the-Web bypass in archive extraction, directly matching T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

7-Zip Mark-of-the-Web Bypass Vulnerability. This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of 7-Zip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a…

malicious file. The specific flaw exists within the handling of archived files. When extracting files from a crafted archive that bears the Mark-of-the-Web, 7-Zip does not propagate the Mark-of-the-Web to the extracted files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user. Was ZDI-CAN-25456.

Deeper analysisAI

CVE-2025-0411 is a Mark-of-the-Web bypass vulnerability affecting installations of 7-Zip. The specific flaw exists within the handling of archived files, where 7-Zip fails to propagate the Mark-of-the-Web protection to extracted files when processing a crafted archive that bears the Mark-of-the-Web. This issue, originally tracked as ZDI-CAN-25456, was published on 2025-01-25 and carries a CVSS v3.1 base score of 7.0 (AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H), mapped to CWE-693.

Remote attackers can exploit this vulnerability, but user interaction is required, such as the target visiting a malicious page or opening a malicious file. Successful exploitation allows the attacker to bypass Mark-of-the-Web protections and execute arbitrary code in the context of the current user.

Advisories provide further details on the issue, including the Zero Day Initiative's ZDI-25-045 publication, a discussion on the oss-security mailing list, NetApp's advisory ntap-20250207-0005, and Vicarius resources on mitigation and detection for the 7-Zip vulnerability.

Details

CWE(s): CWE-693 NVD-CWE-noinfo
KEV Date Added: 06 February 2025

Affected Products

netapp

active iq unified manager

all versions

7-zip

≤ 24.09

CVEs Like This One

CVE-2024-54085Same product class: NAS / storage applianceboth on KEV

CVE-2025-24813Same product class: NAS / storage applianceboth on KEV

CVE-2021-44228Same product: Netapp Active Iq Unified Managerboth on KEV

CVE-2025-24970Same product: Netapp Active Iq Unified Manager

CVE-2025-26512Same product class: NAS / storage appliance

CVE-2024-56171Same product: Netapp Active Iq Unified Manager

CVE-2025-24928Same product: Netapp Active Iq Unified Manager

CVE-2025-26465Same product: Netapp Active Iq Unified Manager

CVE-2026-32202Shared CWE-693both on KEV

CVE-2025-27423Same product class: NAS / storage appliance

References

https://www.zerodayinitiative.com/advisories/ZDI-25-045/
Third Party Advisory, VDB Entry · zdi-disclosures@trendmicro.com
http://www.openwall.com/lists/oss-security/2025/01/24/6
Mailing List · af854a3a-2127-422b-91ae-364da2661108
https://security.netapp.com/advisory/ntap-20250207-0005/
Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
https://www.vicarius.io/vsociety/posts/cve-2025-0411-7-zip-mitigation-vulnerability
Mitigation · af854a3a-2127-422b-91ae-364da2661108
https://www.vicarius.io/vsociety/posts/cve-2025-0411-detection-7-zip-vulnerability
Mitigation · af854a3a-2127-422b-91ae-364da2661108
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-0411
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0