WinRAR CVE-2025-0411 is a Mark-of-the-Web bypass disclosed by the Zero Day Initiative in January 2025 after RARLAB shipped a fix in WinRAR 7.11. ZDI reported the bug as ZDI-25-045, with CVSS 7.8. This is the second major MOTW-related flaw in WinRAR in two years, following CVE-2023-38831, which multiple nation-state groups used heavily. Russian threat group RomCom was observed exploiting CVE-2025-0411 before patch availability against European defense and energy targets.
What does Mark-of-the-Web do and why is this bypass serious?
Mark-of-the-Web is the Windows mechanism that tags files downloaded from the internet so that applications can prompt or restrict execution, and the bypass is serious because every layer of corporate protection assumes MOTW propagates correctly. When a browser or email client writes a file to disk, it adds an Alternate Data Stream named Zone.Identifier containing ZoneId=3. Office applications use that tag to enable Protected View, SmartScreen uses it to decide whether to prompt, and application control policies use it to block unsigned executables.
The assumption behind all of this is that when an archive is extracted, the MOTW propagates to the extracted files. WinRAR honors this contract in the normal path. CVE-2025-0411 breaks it when the archive uses specific path and symlink constructions that confuse WinRAR's propagation routine, causing extracted files to land on disk without the Zone.Identifier stream. From the user's perspective, the extracted file looks like a local file they created, so SmartScreen and Office protections do not engage.
How does the exploitation chain operate in observed campaigns?
The observed exploitation chain uses phishing emails with weaponized RAR or ZIP archives that contain a nested structure crafted to trigger the bypass. The victim downloads the archive, which correctly receives MOTW. They open it in WinRAR and extract. Due to the path-handling bug, the extracted executable or LNK file lands on disk without MOTW. The user double-clicks, SmartScreen does not prompt, the executable runs, and the payload establishes persistence.
In the RomCom campaigns reported by ESET in January 2025, the payload was a variant of the RomCom backdoor distributed to European government and defense contractor targets. The initial archives purported to be invoices, legal documents, or interview materials. After execution, the backdoor established C2 to infrastructure previously attributed to RomCom and performed standard reconnaissance: domain enumeration, credential harvesting, and lateral movement through SMB and WMI.
The chain's effectiveness depends entirely on the MOTW bypass. Without it, SmartScreen and the default Office Protected View would have blocked execution or prompted the user, and the click-through rate on those prompts is significantly lower than the click-through rate on files that look local.
Which WinRAR versions are affected and who else is exposed?
WinRAR versions 7.10 and earlier on Windows are affected. The bug does not impact RAR on Linux or Android because those platforms do not implement MOTW. The fix is in WinRAR 7.11, released on January 15, 2025. What matters for corporate environments is not just the desktop WinRAR install but every product that bundles the WinRAR engine or the unrar library. That list includes file manager plugins, forensic tools, email gateway unpackers, and sandboxing solutions that recursively extract archives during analysis.
Exposure is frequently larger than IT teams expect because:
- WinRAR is bundled into software development kits from image-imaging and backup vendors
- Enterprise file-transfer appliances unpack RAR files server-side using older
unrarversions - Some email gateways scan inside RAR archives but do not propagate MOTW to extracted files at all, which is a structurally similar bypass
- User workstations frequently have WinRAR installed via IT imaging templates and never upgraded
A corporate WinRAR inventory is usually two to three times larger than what shows up in the software asset management system because installations are pushed through shortcut packages and end up on endpoints without being registered.
How do defenders detect bypass attempts and compromise?
Defenders detect bypass attempts by monitoring extraction events and cross-referencing with MOTW presence on extracted files. High-signal detection rules:
- Sysmon event ID 11 (FileCreate) for executables, scripts, or LNK files written to disk by
WinRAR.exeorunrar.exe, cross-referenced against the Zone.Identifier ADS - EDR rules that alert when an archive extraction produces an executable without MOTW
- Email gateway rules that quarantine RAR and ZIP archives containing nested paths over three levels deep or using symlink entries
- YARA rules for RomCom backdoor variants, which ESET and Recorded Future published IOC sets for in January and February 2025
For post-compromise detection, focus on RomCom's standard behaviors: scheduled tasks created under recognizable names, DNS queries to the C2 domains published by ESET, and the use of rundll32 to invoke the backdoor DLL from a user-writable directory.
The most reliable detection is the MOTW-absence check on freshly extracted files. It is a one-line PowerShell check (Get-Item -Stream Zone.Identifier) and can be instrumented through EDR file-write callbacks or Sysmon.
What patching and policy guidance actually closes the gap?
Closing the gap requires upgrading WinRAR to 7.11 or later everywhere and tightening archive-handling policy across the organization. The technical upgrade is straightforward: push WinRAR 7.11 through your endpoint management tool, verify inventory, and confirm that bundled unrar libraries inside other products are also updated. RARLAB provides a command-line version and a redistributable DLL, and both need to be refreshed.
Beyond the patch, the durable fix is policy:
- Configure Windows Defender Application Control to block unsigned executables in user-writable directories regardless of MOTW
- Enable SmartScreen in enforce mode for all user profiles
- Disable archive auto-extract in email clients and enforce server-side scanning
- Train users that extracted files inherit the risk of the archive source, and that the absence of a warning is not evidence of safety
A useful environmental control is to standardize on 7-Zip or Windows's built-in archive handling for end users and reserve WinRAR only for users with documented business needs. This reduces attack surface without requiring a specific CVE patch cycle.
What does this mean for software supply chain programs?
For software supply chain programs, CVE-2025-0411 reinforces that archive handling is a dependency surface most teams do not inventory. Every product that unpacks archives, whether a desktop utility, a server-side file transfer engine, or a sandbox, inherits the risk of the archive parser it uses. Vendor questionnaires rarely ask "which archive library do you use and what version is it," and SBOMs generated from manifest files miss statically linked or bundled archive engines entirely.
The RomCom campaigns also underscore that MOTW bypasses are high-value primitives for nation-state groups because they unlock the rest of the Windows attack chain. A robust supply chain program tracks archive libraries (WinRAR, 7-Zip, libarchive, LZMA SDK, Info-ZIP) alongside the application-level dependencies everyone already scans.
How Safeguard.sh Helps
Safeguard.sh inventories every product in your estate that bundles the WinRAR engine or unrar library through 100-level binary-aware dependency scanning, including SDK-embedded copies that manifest-only SCA tools miss entirely. Reachability analysis reduces 60 to 80 percent of findings by identifying which deployments actually invoke archive extraction on untrusted input versus those that link the library but never call it. Griffin AI autonomously generates patch pull requests for products you control, opens TPRM tickets for vendors whose products embed vulnerable unrar, and creates WDAC or AppLocker policy recommendations tuned to your environment. Container self-healing rebuilds Windows images against patched bases, and SBOM generation and ingest unify your view of direct and transitive archive-library exposure across all artifacts.