CVE-2025-33028
CVE-2025-33028 is a medium-severity vulnerability with a CVSS 3.x base score of 6.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-830.
Key facts
- Severity: Medium (CVSS 3.x base score 6.1)
- EPSS exploit prediction: 0% (38th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-13392
- Weakness: CWE-830
- Published:
- Last modified:
Description
In WinZip through 29.0, there is a Mark-of-the-Web Bypass Vulnerability because of an incomplete fix for CVE-2024-8811. This vulnerability allows attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of WinZip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of archived files. When extracting files from a crafted archive that bears the Mark-of-the-Web, WinZip does not propagate the Mark-of-the-Web to the extracted files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user. NOTE: a third party has reported that this is a false positive, and has observed that the original CVE-2025-33028.md file has been deleted on GitHub. Also, this is disputed because Mark-of-the-Web propagation can increase risk via security-warning habituation, and because the intended control sphere for file-origin metadata (e.g., HostUrl in Zone.Identifier) may be narrower than that for reading the file's content.
Frequently asked questions
- What is CVE-2025-33028?
- In WinZip through 29.0, there is a Mark-of-the-Web Bypass Vulnerability because of an incomplete fix for CVE-2024-8811. This vulnerability allows attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of WinZip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of archived files. When extracting files from a crafted archive that bears the Mark-of-the-Web, WinZip does not propagate the Mark-of-the-Web to the extracted files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user. NOTE: a third party has reported that this is a false positive, and has observed that the original CVE-2025-33028.md file has been deleted on GitHub. Also, this is disputed because Mark-of-the-Web propagation can increase risk via security-warning habituation, and because the intended control sphere for file-origin metadata (e.g., HostUrl in Zone.Identifier) may be narrower than that for reading the file's content.
- How severe is CVE-2025-33028?
- CVE-2025-33028 has a CVSS 3.x base score of 6.1, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is low, integrity low, and availability none.
- Is CVE-2025-33028 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (38th percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2025-33028?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2025-33028 have an EU (EUVD) identifier?
- Yes. CVE-2025-33028 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-13392.
- When was CVE-2025-33028 published?
- CVE-2025-33028 was published on 2025-04-15 and last updated on 2026-06-17.
References
- https://github.com/EnisAksu/Argonis/blob/main/CVEs/CVE-2025-33028%20%28WinZip%29/CVE-2025-33028.md
- https://github.com/EnisAksu/Argonis/commit/5e1ff4e5f4fdb3f32aab465f7b429e0b91299d1d
- https://kb.winzip.com/help/help_whatsnew.htm
Other CWE-830 vulnerabilities
- CVE-2023-2588 — High (CVSS 8.8): Teltonika’s Remote Management System versions prior to 4.10.0 have a feature allowing users to access managed…
- CVE-2025-65109 — High (CVSS 8.5): Minder is an open source software supply chain security platform. In Minder Helm version 0.20241106.3386+ref.2507dbf…
- CVE-2024-29944 — High (CVSS 8.4): An attacker was able to inject an event handler into a privileged object that would allow arbitrary JavaScript…
- CVE-2024-42381 — High (CVSS 8.3): os/linux/elf.rb in Homebrew brew before 4.2.20 uses ldd to load ELF files obtained from untrusted sources, which allows…
- CVE-2025-46652 — Medium (CVSS 6.1): In IZArc through 4.5, there is a Mark-of-the-Web Bypass Vulnerability. When a user performs an extraction from an…
- CVE-2025-43703 — Medium (CVSS 6.1): An issue was discovered in Ankitects Anki through 25.02. A crafted shared deck can result in attacker-controlled access…