CVE-2025-33028

In WinZip through 29.0, there is a Mark-of-the-Web Bypass Vulnerability because of an incomplete fix for CVE-2024-8811. This vulnerability allows attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of WinZip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of archived files. When extracting files from a crafted archive that bears the Mark-of-the-Web, WinZip does not propagate the Mark-of-the-Web to the extracted files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user. NOTE: a third party has reported that this is a false positive, and has observed that the original CVE-2025-33028.md file has been deleted on GitHub. Also, this is disputed because Mark-of-the-Web propagation can increase risk via security-warning habituation, and because the intended control sphere for file-origin metadata (e.g., HostUrl in Zone.Identifier) may be narrower than that for reading the file's content.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/EnisAksu/Argonis/blob/main/CVEs/CVE-2025-33028%20%28WinZip%29/CVE-2025-33028.md
https://github.com/EnisAksu/Argonis/commit/5e1ff4e5f4fdb3f32aab465f7b429e0b91299d1d
https://kb.winzip.com/help/help_whatsnew.htm

Configurations

No configuration.

History

No history.

Information

Published : 2025-04-15 18:15

Updated : 2025-10-24 20:16

NVD link : CVE-2025-33028

Mitre link : CVE-2025-33028

CVE.ORG link : CVE-2025-33028

JSON object : View

Products Affected

No product.

CWE

CWE-830

Inclusion of Web Functionality from an Untrusted Source

{"id": "CVE-2025-33028", "cveTags": [{"tags": ["disputed"], "sourceIdentifier": "[email protected]"}], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2025-04-15T18:15:53.333", "references": [{"url": "https://github.com/EnisAksu/Argonis/blob/main/CVEs/CVE-2025-33028%20%28WinZip%29/CVE-2025-33028.md", "source": "[email protected]"}, {"url": "https://github.com/EnisAksu/Argonis/commit/5e1ff4e5f4fdb3f32aab465f7b429e0b91299d1d", "source": "[email protected]"}, {"url": "https://kb.winzip.com/help/help_whatsnew.htm", "source": "[email protected]"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-830"}]}], "descriptions": [{"lang": "en", "value": "In WinZip through 29.0, there is a Mark-of-the-Web Bypass Vulnerability because of an incomplete fix for CVE-2024-8811. This vulnerability allows attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of WinZip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of archived files. When extracting files from a crafted archive that bears the Mark-of-the-Web, WinZip does not propagate the Mark-of-the-Web to the extracted files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user. NOTE: a third party has reported that this is a false positive, and has observed that the original CVE-2025-33028.md file has been deleted on GitHub. Also, this is disputed because Mark-of-the-Web propagation can increase risk via security-warning habituation, and because the intended control sphere for file-origin metadata (e.g., HostUrl in Zone.Identifier) may be narrower than that for reading the file's content."}, {"lang": "es", "value": "En WinZip hasta la versi\u00f3n 29.0, existe una vulnerabilidad de omisi\u00f3n de la marca de la web debido a una correcci\u00f3n incompleta para CVE-2024-8811. Esta vulnerabilidad permite a los atacantes eludir el mecanismo de protecci\u00f3n de la marca de la web en las instalaciones afectadas de WinZip. Para explotar esta vulnerabilidad, se requiere la interacci\u00f3n del usuario, ya que el objetivo debe visitar una p\u00e1gina maliciosa o abrir un archivo malicioso. La falla espec\u00edfica se encuentra en la gesti\u00f3n de archivos comprimidos. Al extraer archivos de un archivo comprimido manipulado con la marca de la web, WinZip no la propaga a los archivos extra\u00eddos. Un atacante puede aprovechar esta vulnerabilidad para ejecutar c\u00f3digo arbitrario en el contexto del usuario actual."}], "lastModified": "2025-10-24T20:16:08.937", "sourceIdentifier": "[email protected]"}