| |

New Zip Slip Vulnerability Enables Attackers to Exploit ZIP Files During Decompression

ByAdmin

A newly observed variant of the Zip Slip vulnerability has emerged, allowing threat actors to exploit path traversal flaws in widely used decompression utilities. This vulnerability enables the crafting of malicious archives containing specially constructed file names with relative paths. When an unsuspecting user or automated system extracts these archives, files may be written outside the intended extraction directory, potentially overwriting critical system or application binaries. Early reports indicate that attackers are weaponising this technique to implant backdoors and escalate privileges on both Windows and Unix targets. Unlike traditional archives that restrict file locations to a subfolder, these malicious ZIP files contain entries that bypass inadequate path sanitisation, depositing payloads directly into system directories. Initial incidents were identified during internal penetration tests, but more sophisticated campaigns attributed to the RomCom APT group have demonstrated live-fire exploitation in enterprise environments.

ASEC analysts have discovered that this variant takes advantage of the general purpose bit flag in the ZIP header to encode path separators, evading detection by signature-based scanners. In one notable case, a compromised email attachment delivered a ZIP archive that, when opened with an outdated decompression tool, silently overwrote a legitimate startup script. Examination of the archive structure reveals that the filename field, beginning at offset 0x1E, contains path segments separated by percent-encoded slashes, which are decoded only during file creation. Subsequent reverse engineering uncovered that the malicious archive leveraged Python’s Zipfile module to insert relative paths directly into the filename field. Major vulnerabilities exploited by this technique include CVE-2025-8088, CVE-2025-6218, CVE-2022-30333, and CVE-2018-20250. In addition to simple file overwrites, this variant supports embedding executable scripts and DLLs designed to maintain persistence. By writing payloads to startup folders or systemd service directories, attackers ensure execution upon reboot. Detection is complicated by the fact that many decompression utilities do not normalise or validate canonical paths before writing. Cybersecurity teams are advised to employ decompression libraries with built-in path traversal checks and enforce extraction within sandboxed environments. 

Categories: Vulnerability Exploitation, Path Traversal Attacks, Decompression Utility Risks 

Tags: Zip Slip, Vulnerability, Path Traversal, Decompression, Malicious Archives, Backdoors, Privilege Escalation, Exploitation, Cybersecurity, Detection 

Similar Posts

Weekly Cybersecurity News Roundup: Key Security Updates from Microsoft, Cisco, and Fortinet, Plus Recent Cyber Attack Insights Stay informed with our latest weekly recap of cybersecurity news, featuring essential security updates from industry leaders Microsoft, Cisco, and Fortinet. We also delve into recent cyber attacks, providing insights into emerging threats and vulnerabilities. Don’t miss out on crucial information that can help safeguard your digital assets!

Leave a Reply

Your email address will not be published. Required fields are marked *