CVE-2025-50328

Description

A vulnerability in B1 Free Archiver v1.5.86 allows files extracted from downloaded archives to bypass Windows Mark of the Web (MotW) protections. When an archive is downloaded from the internet and extracted using B1 Free Archiver, the software fails to propagate the 'Zone.Identifier' alternate data stream to the extracted files. As a result, these files can be executed without triggering Windows Defender SmartScreen warnings or security prompts, enabling untrusted code execution without standard security restrictions.

CVSS Details

CVSS Score

7.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

B1 Free Archiver v1.5.86

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Proof of Concept: Check for missing MotW after extraction
# This script demonstrates how to check if a file has the Zone.Identifier stream.
# In a real scenario, an attacker would craft a zip file, the victim extracts it using B1,
# and then runs this check on the extracted file to see if the protection is gone.

import os

def check_motw(filepath):
    """Check if a file has a Zone.Identifier stream."""
    stream_path = filepath + ":Zone.Identifier"
    if os.path.exists(stream_path):
        print(f"[+] MotW found on {filepath}")
        with open(stream_path, 'r') as f:
            print(f.read())
    else:
        print(f"[-] MotW MISSING on {filepath} - Vulnerability Confirmed if extracted from internet!")

# Example usage:
# malicious_file = "extracted_malware.exe"
# check_motw(malicious_file)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-50328
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-50328
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-50328/
[4] VulDB https://vuldb.com/cve/CVE-2025-50328
[5] https://b1.org/
[6] https://github.com/math69b/B1FREE/blob/main/B1%20Free%20Archiver%20version
[7] https://github.com/math69b/B1FREE/blob/main/B1%20Free%20Archiver%20version

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-50328", "sourceIdentifier": "[email protected]", "published": "2026-04-29T21:16:19.600", "lastModified": "2026-04-30T15:48:26.580", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in B1 Free Archiver v1.5.86 allows files extracted from downloaded archives to bypass Windows Mark of the Web (MotW) protections. When an archive is downloaded from the internet and extracted using B1 Free Archiver, the software fails to propagate the 'Zone.Identifier' alternate data stream to the extracted files. As a result, these files can be executed without triggering Windows Defender SmartScreen warnings or security prompts, enabling untrusted code execution without standard security restrictions."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-290"}]}], "references": [{"url": "https://b1.org/", "source": "[email protected]"}, {"url": "https://github.com/math69b/B1FREE/blob/main/B1%20Free%20Archiver%20version", "source": "[email protected]"}, {"url": "https://github.com/math69b/B1FREE/blob/main/B1%20Free%20Archiver%20version", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}