Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
5DescriptionCVE.org
A vulnerability in B1 Free Archiver v1.5.86 allows files extracted from downloaded archives to bypass Windows Mark of the Web (MotW) protections. When an archive is downloaded from the internet and extracted using B1 Free Archiver, the software fails to propagate the 'Zone.Identifier' alternate data stream to the extracted files. As a result, these files can be executed without triggering Windows Defender SmartScreen warnings or security prompts, enabling untrusted code execution without standard security restrictions.
AnalysisAI
B1 Free Archiver v1.5.86 strips Mark of the Web (MotW) protections from files extracted from internet-downloaded archives, allowing untrusted executables to run without Windows Defender SmartScreen warnings. Attackers can deliver malware via email attachments or malicious downloads that, when extracted using this archiver, bypass Windows security prompts entirely. EPSS exploitation probability is minimal (0.01%) with no active exploitation or public POC identified, suggesting limited real-world targeting despite the 7.3 CVSS score and theoretical RCE capability.
Technical ContextAI
Windows Mark of the Web (MotW) is a security mechanism that appends a 'Zone.Identifier' alternate data stream (ADS) to files downloaded from the internet, triggering SmartScreen warnings when executables or potentially dangerous files are opened. Archive extraction software is responsible for propagating this ADS to extracted contents. B1 Free Archiver v1.5.86 fails to implement this propagation, creating a CWE-290 (Authentication Bypass by Spoofing) condition where files lose their internet origin context. This allows executables extracted from malicious archives to run with the same trust level as locally-created files, effectively bypassing a critical defense-in-depth layer in Windows security architecture. The vulnerability exists in the extraction logic of the archiver software itself, not in specific archive formats.
RemediationAI
No vendor-released patch or fixed version has been identified in available data sources at time of analysis. Organizations using B1 Free Archiver should implement compensating controls: switch to alternative archive extraction tools that properly propagate MotW (Windows built-in extraction, 7-Zip 23.0+, WinRAR 6.0+) for handling internet-sourced archives; if B1 Free Archiver must be used, configure endpoint security solutions to block execution of files from common extraction directories (Downloads, Temp) without administrative approval; deploy application control policies (AppLocker, WDAC) to require code signing or explicit allow-listing for executables, which mitigates MotW bypass but may impact legitimate software installation workflows. Network-level controls such as email attachment filtering to block executable content within archives provide defense-in-depth but cannot prevent browser downloads or USB transfer scenarios. Monitor https://b1.org/ and https://github.com/math69b/B1FREE for vendor updates regarding patched versions.
Same weakness CWE-290 – Authentication Bypass by Spoofing
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209592