Hackers Execute Malicious Code Silently Via the WinZip MotW Bypass Vulnerability

Hackers Execute Malicious Code Silently Via the WinZip MotW Bypass Vulnerability

“Hackers are executing malicious code in camouflage by using the WinZip MotW Bypass Vulnerability.”

A serious flaw in WinZip that lets hackers get around Windows’ Mark-of-the-Web (MotW) security feature could let malicious code run on victims’ computers without their knowledge. This significant security vulnerability, known as CVE-2025-33028, has a high severity CVSS score of 7.8 and impacts WinZip installations up to version 29.0.

A Windows security feature called Mark-of-the-Web marks files downloaded from the internet and issues alerts when users try to view potentially harmful content. Researchers discovered that when WinZip extracts items from downloaded archives, it loses this crucial identifier.

Security researcher Enis Aksu

The process of exploitation is simple: attackers produce a malicious file (like a .docm file with harmful macros), compress it into an archive, distribute it through phishing or compromised websites, and then run the extracted files with WinZip without causing the standard security alerts.

Because it enables attackers to get around a basic Windows security feature with little technical know-how, this vulnerability is especially worrisome. Successful exploitation could lead to illegal code execution, privilege escalation, and data theft—all while seeming authentic to the end user.

The defect indicates an imperfect remedy for a previously reported issue (CVE-2024-8811), demonstrating persistent challenges in protecting archive extraction operations.

Other well-known archive utilities, such as 7-Zip (CVE-2025-0411) and WinRAR (CVE-2025-31334), have recently been impacted by similar MotW bypass flaws, suggesting a concerning trend in archive software security that attackers take advantage of.

WinRAR has fixed a serious Mark of the Web (MOTW) bypass vulnerability with the release of version 7.11. By reducing the danger of using MOTW as an attack vector, this patch improves the security of the application.

Since there isn’t a patch for this particular WinZip vulnerability at the moment, users should:

• Be extremely cautious when opening archive files from sources you don’t trust.
• Think about utilizing different archive tools that handle MotW correctly.
• Before opening any extracted files, make sure your antivirus software is up to date.
• Turn off Office apps’ macros from running automatically.

Additional controls should be put in place by enterprise administrators to keep an eye on and limit the execution of recently extracted files in business settings. The finding emphasizes the necessity of defense-in-depth cybersecurity strategies by demonstrating how even simple file operations can result in serious security vulnerabilities when safeguards aren’t in place.

Users should exercise caution when handling files from untrusted sources since attackers are increasingly focusing on archiving utilities.

About The Author

Suraj Koli is a content specialist with expertise in Cybersecurity and B2B Domains. He has provided his skills for the News4Hackers Blog and Craw Security. Moreover, he has written content for various sectors Business, Law, Food and beverage, Entertainment, and many others. Koli established his center of the field in an amazing scenario. Simply said, he started his career selling products, where he enhanced his skills in understanding the product and the point of view of clients from the customer’s perspective, which simplified his journey in the long run. It makes him an interesting personality among other writers. Currently, he is a regular writer at Craw Security.

READ MORE HERE

Millions of Hacks Can’t Win One: India Thrashed Cyber Attacks After Pahalgam Attack

Plugin Attack: Cybercriminals Use a Phishing Security Tool to Take Over WordPress Websites

About Author

Ankit

See author's posts