CVE-2025-50328
B1 Free Archiver MotW Bypass Vulnerability
Publication date: 2026-04-29
Last updated on: 2026-04-30
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| b1_free_archiver | b1_free_archiver | 1.5.86 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-290 | This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by verifying whether files extracted using B1 Free Archiver v1.5.86 retain the Windows 'Zone.Identifier' alternate data stream, which marks files as downloaded from the internet.
To confirm the issue, you can download a test archive (e.g., a malicious '7Z.zip' file containing an executable), extract it using B1 Free Archiver, and then check if the extracted files have the 'Zone.Identifier' stream.
- Use the PowerShell command to check for the Zone.Identifier stream on an extracted file: Get-Item -Path <extracted_file_path> -Stream *
- Alternatively, use the command: more <extracted_file_path>:Zone.Identifier to view the contents of the alternate data stream.
If the 'Zone.Identifier' stream is missing from the extracted files, it indicates the vulnerability is present and the MotW protection is bypassed.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing untrusted or potentially malicious files extracted using B1 Free Archiver to execute without any security warnings or prompts from Windows.
Because the Mark of the Web protections are bypassed, users may be tricked into running harmful code, increasing the risk of malware infections or social engineering attacks.
Can you explain this vulnerability to me?
CVE-2025-50328 is a vulnerability in B1 Free Archiver version 1.5.86 that allows files extracted from downloaded archives to bypass Windows Mark of the Web (MotW) protections.
Normally, when files are downloaded from the internet, Windows attaches a 'Zone.Identifier' alternate data stream to mark them as potentially unsafe. This marking triggers security features like Windows Defender SmartScreen warnings and prompts.
However, due to this vulnerability, B1 Free Archiver fails to propagate the 'Zone.Identifier' stream to the extracted files. As a result, these files appear trusted and can be executed without triggering security warnings or prompts.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the vulnerability in B1 Free Archiver v1.5.86 that allows files to bypass Windows Mark of the Web protections, users should avoid extracting archives downloaded from the internet using this version of the software.
As a precaution, users can manually verify the trustworthiness of extracted files before execution and consider using alternative archiving tools that correctly propagate the Zone.Identifier alternate data stream.
Additionally, applying any available updates or patches from the software vendor that address this issue is recommended once they become available.
Can you explain this vulnerability to me?
This vulnerability exists in B1 Free Archiver version 1.5.86. When a user downloads an archive from the internet and extracts it using this software, the extracted files do not retain the 'Zone.Identifier' alternate data stream, which is used by Windows to mark files as coming from the internet.
Because the 'Zone.Identifier' is not propagated to the extracted files, Windows does not apply its usual security checks such as Mark of the Web (MotW) protections. This means that the files can be executed without triggering Windows Defender SmartScreen warnings or other security prompts.
As a result, untrusted or potentially malicious code can run without the normal security restrictions that would typically warn or block the user.
How can this vulnerability impact me? :
This vulnerability can lead to untrusted code execution on your system without the usual security warnings or prompts from Windows Defender SmartScreen.
Because the extracted files bypass Mark of the Web protections, malicious files could run silently, increasing the risk of malware infection, unauthorized access, or other security breaches.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in B1 Free Archiver v1.5.86 allows extracted files to bypass Windows Mark of the Web (MotW) protections, enabling execution without security prompts or SmartScreen warnings. This increases the risk of untrusted code execution and potential malware delivery.
While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the ability to execute untrusted code without warnings could lead to security incidents involving unauthorized access or data breaches.
Such security incidents could negatively impact compliance with regulations that require protection of sensitive data and implementation of adequate security controls, such as GDPR and HIPAA.