CVE-2025-1240HIGH 8.8EPSS p94.9%

CVE-2025-1240CVE-2025-1240

Description

WinZip 7Z File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of WinZip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of 7Z files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-24986.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS9.69% probability of exploitation · percentile 94.9% · 2026-06-19T12:03:05Z
Published2025-02-11
Last modified2025-08-18

Underlying weaknesses· 1

CWE-787

References

  1. https://www.zerodayinitiative.com/advisories/ZDI-25-047/

1

TypeTargetConfidenceTier
WeaknessOut-of-bounds Writecwe-7870%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
7-Zip Mark of the Web Bypass Vulnerability
CVE
CVE-2026-48111
CVE
CVE-2026-48103
CVE
CVE-2026-48095
CVE
CVE-2026-48102
CVE
CVE-2026-48092
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.