CVE-2025-50328
Received Received - Intake
B1 Free Archiver MotW Bypass Vulnerability

Publication date: 2026-04-29

Last updated on: 2026-04-30

Assigner: MITRE

Description
A vulnerability in B1 Free Archiver v1.5.86 allows files extracted from downloaded archives to bypass Windows Mark of the Web (MotW) protections. When an archive is downloaded from the internet and extracted using B1 Free Archiver, the software fails to propagate the 'Zone.Identifier' alternate data stream to the extracted files. As a result, these files can be executed without triggering Windows Defender SmartScreen warnings or security prompts, enabling untrusted code execution without standard security restrictions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-29
Last Modified
2026-04-30
Generated
2026-06-16
AI Q&A
2026-04-30
EPSS Evaluated
2026-06-15
NVD
CVE-2025-50328
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
b1_free_archiver b1_free_archiver 1.5.86
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in B1 Free Archiver version 1.5.86. When a user downloads an archive from the internet and extracts it using this software, the extracted files do not retain the 'Zone.Identifier' alternate data stream, which is used by Windows to mark files as coming from the internet.

Because the 'Zone.Identifier' is not propagated to the extracted files, Windows does not apply its usual security checks such as Mark of the Web (MotW) protections. This means that the files can be executed without triggering Windows Defender SmartScreen warnings or other security prompts.

As a result, untrusted or potentially malicious code can run without the normal security restrictions that would typically warn or block the user.

Impact Analysis

This vulnerability can lead to untrusted code execution on your system without the usual security warnings or prompts from Windows Defender SmartScreen.

Because the extracted files bypass Mark of the Web protections, malicious files could run silently, increasing the risk of malware infection, unauthorized access, or other security breaches.

Detection Guidance

This vulnerability can be detected by verifying whether files extracted using B1 Free Archiver v1.5.86 retain the Windows 'Zone.Identifier' alternate data stream, which marks files as downloaded from the internet.

To confirm the issue, you can download a test archive (e.g., a malicious '7Z.zip' file containing an executable), extract it using B1 Free Archiver, and then check if the extracted files have the 'Zone.Identifier' stream.

  • Use the PowerShell command to check for the Zone.Identifier stream on an extracted file: Get-Item -Path <extracted_file_path> -Stream *
  • Alternatively, use the command: more <extracted_file_path>:Zone.Identifier to view the contents of the alternate data stream.

If the 'Zone.Identifier' stream is missing from the extracted files, it indicates the vulnerability is present and the MotW protection is bypassed.

Compliance Impact

The vulnerability in B1 Free Archiver v1.5.86 allows extracted files to bypass Windows Mark of the Web (MotW) protections, enabling execution without security prompts or SmartScreen warnings. This increases the risk of untrusted code execution and potential malware delivery.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the ability to execute untrusted code without warnings could lead to security incidents involving unauthorized access or data breaches.

Such security incidents could negatively impact compliance with regulations that require protection of sensitive data and implementation of adequate security controls, such as GDPR and HIPAA.

Mitigation Strategies

To mitigate the vulnerability in B1 Free Archiver v1.5.86 that allows files to bypass Windows Mark of the Web protections, users should avoid extracting archives downloaded from the internet using this version of the software.

As a precaution, users can manually verify the trustworthiness of extracted files before execution and consider using alternative archiving tools that correctly propagate the Zone.Identifier alternate data stream.

Additionally, applying any available updates or patches from the software vendor that address this issue is recommended once they become available.

Impact Analysis

This vulnerability can impact you by allowing untrusted or potentially malicious files extracted using B1 Free Archiver to execute without any security warnings or prompts from Windows.

Because the Mark of the Web protections are bypassed, users may be tricked into running harmful code, increasing the risk of malware infections or social engineering attacks.

Executive Summary

CVE-2025-50328 is a vulnerability in B1 Free Archiver version 1.5.86 that allows files extracted from downloaded archives to bypass Windows Mark of the Web (MotW) protections.

Normally, when files are downloaded from the internet, Windows attaches a 'Zone.Identifier' alternate data stream to mark them as potentially unsafe. This marking triggers security features like Windows Defender SmartScreen warnings and prompts.

However, due to this vulnerability, B1 Free Archiver fails to propagate the 'Zone.Identifier' stream to the extracted files. As a result, these files appear trusted and can be executed without triggering security warnings or prompts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-50328. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart