Answer Brief
A vulnerability in ESTsoft ALZip versions 12.01 through 12.29 fails to propagate 'Mark of the Web' (MoTW) Zone.Identifier streams when extracting files. This flaw, tracked as CVE-2025-29864, allows malicious content to bypass Windows security warnings, potentially leading to unauthorized code execution if users are tricked into opening unflagged malicious files.
Executive Summary: A vulnerability in ESTsoft ALZip versions 12.01 through 12.29 fails to propagate 'Mark of the Web' (MoTW) Zone.Identifier streams when extracting files. This flaw, tracked as CVE-2025-29864, allows malicious content to bypass Windows security warnings, potentially leading to unauthorized code execution if users are tricked into opening unflagged malicious files.
Why It Matters
The discovery of CVE-2025-29864 highlights a persistent challenge in file archive management: the preservation of security metadata across file operations. ALZip, a widely used compression utility in South Korea developed by ESTsoft, was found to be neglecting the Zone.Identifier stream during extraction. This stream is critical for the Mark of the Web (MoTW) mechanism, which Windows uses to signal that a file originated from an untrusted source, such as the internet or an email attachment.
Technically, this vulnerability is categorized as a security feature bypass. When a user downloads a compressed archive, Windows tags it with an MoTW attribute. If the extraction tool fails to propagate this attribute to the contents within the archive, those files appear to the operating system as locally created and safe. This bypasses automated defenses like SmartScreen and the security prompts in Microsoft Office that prevent the execution of untrusted macros.
Technical Signal
For global security teams, the signal here is particularly relevant to organizations with South Korean operations or supply chain partners. ALZip is a localized market leader, and its presence on corporate endpoints creates a specific risk surface. If a threat actor delivers malware via a .zip or .7z file, and the user extracts it using a vulnerable version of ALZip, the primary defensive layer designed to stop 'initial access' techniques is neutralized.
Operationally, this impacts IT and security operations center (SOC) teams who rely on host-based telemetry. If MoTW is bypassed, the subsequent execution of a file may not trigger the expected 'untrusted' telemetry flags, potentially leading to a slower detection time. It places a higher burden on endpoint detection and response (EDR) tools to identify malicious behavior post-execution rather than preventing the execution at the gateway.
Operational Impact
Risk boundaries for this vulnerability are capped at a CVSS 6.2, reflecting that it is not a direct remote code execution (RCE) flaw but an enablement for such attacks. The attacker still needs to trick the user into downloading and extracting the file. However, in a phishing-heavy threat landscape, a reliable MoTW bypass is a highly sought-after component for a successful infection chain.
Regional relevance is high due to ESTsoft's dominant position in the Korean software ecosystem. The coordination of this disclosure by KrCERT/CC indicates the importance of the patch for national cybersecurity posture. Large enterprises should audit for the presence of ALZip on their networks and enforce an update to version 12.30 to mitigate this specific bypass vector.
What To Watch
Readers should watch for subsequent reports of threat actors utilizing this specific ALZip behavior in active campaigns. Historically, when popular archive utilities have MoTW issues, advanced persistent threat (APT) groups targeting that specific region are quick to incorporate the exploit into their delivery documents. Monitoring for unversioned or outdated ALZip installations should become a priority for compliance and risk management teams.
Event Type: security
Importance: medium
Affected Companies
- ESTsoft
- KISA
- KrCERT/CC
Affected Sectors
- Cybersecurity
- Software Development
Key Numbers
- CVSS Score: 6.2
- Affected Versions: 12.01 to 12.29
- Resolution Version: 12.30
Timeline
- Vulnerability officially published by KrCERT/CC
- Current status confirmed; update available via ALTools
Frequently Asked Questions
What is the specific risk associated with CVE-2025-29864?
The risk involves bypassing the Mark of the Web (MoTW) security feature. When ALZip extracts files, it fails to create the Zone.Identifier stream. This means Windows does not recognize files as originating from the internet, preventing the 'Protected View' or security warnings that usually block malicious macros and scripts.
Which versions of ALZip are vulnerable to this MoTW bypass?
Versions 12.01 through 12.29 of ALZip are affected. Users should immediately verify their installed version and upgrade to ALZip 12.30 or higher to ensure that the Zone.Identifier stream is correctly preserved during file extraction.
How do I fix CVE-2025-29864 on my systems?
Administrators and users should download the latest version (12.30 or later) from the official ALTools website. Updating the software restores the correct handling of internet-sourced metadata, ensuring Windows security features can evaluate the risk of extracted files properly.