Normal view
SQLi flaw in Elementor Ally plugin impacts 250k+ WordPress sites
CISA orders feds to patch n8n RCE flaw exploited in attacks
Medtech giant Stryker offline after Iran-linked wiper malware attack
New PhantomRaven NPM attack wave steals dev data via 88 packages
Meta adds new WhatsApp, Facebook, and Messenger anti-scam tools
Multiple vulnerabilities in Micro Research MR-GM5L-S1 and MR-GM5A-L1
New βBlackSantaβ EDR killer spotted targeting HR departments
New BeatBanker Android malware poses as Starlink app to hijack devices
New 'Zombie ZIP' technique lets malware slip past security tools
Microsoft releases Windows 10 KB5078885 extended security update
Microsoft March 2026 Patch Tuesday fixes 2 zero-days, 79 flaws
Windows 11 KB5079473 & KB5078883 cumulative updates released
HPE warns of critical AOS-CX flaw allowing admin password resets
Microsoft brings phishing-resistant Windows sign-ins via Entra passkeys
New KadNap botnet hijacks ASUS routers to fuel cybercrime proxy network
-
CERT Recently Published Vulnerability Notes
- VU#976247: Retraction of "Antivirus and Endpoint Detection and Response Archive Scanning Engines may not properly scan malformed ZIP archives"
VU#976247: Retraction of "Antivirus and Endpoint Detection and Response Archive Scanning Engines may not properly scan malformed ZIP archives"
Overview
Malformed ZIP headers can be used to obfuscate malicious content in ZIP files from antivirus detection tools. Despite the presence of malformed headers, custom extraction software can decompress the ZIP archive, allowing potentially malicious payloads to be recovered after successful antivirus evasion.
After a review of the researcher's published PoC and further analysis of the case, we have determined that this issue does not meet the necessary criteria to be considered a vulnerability. The originally reported behavior was based on a misunderstanding of native archive-handling capabilities in common operating systems such as Windows and Linux. It was initially believed that native extraction tools could successfully decompress ZIP files with malformed headers, while EDRs and antivirus security tools would fail. After additional testing, we have determined that extraction is not possible through standard archiving tools, and recovering the payload would instead require a custom loader. Accordingly, this technique can be more accurately described as an obfuscation method, as it does not meaningfully violate any implicit or explicit security boundaries.
Description
ZIP archives contain metadata such as compression method, flags, and version information. Antivirus engines typically rely on this metadata to determine how to preprocess files before scanning. If an attacker modifies the compression-method header field, antivirus software may fail to properly decompress the file and will, therefore, be unable to analyze the actual payload.
After antivirus evasion, the payload can be recovered by using a custom loader that ignores the declared Method field and instead decompresses embedded data directly. This allows an attacker to hide malicious content from antivirus engines while still being able to recover it programmatically.
Notably, standard extraction tools (e.g. 7βZip, unzip, bsdtar, Pythonβs zipfile) trust the declared compression method and attempt decompression but then fail with CRC or βunsupported methodβ errors. These tools do not extract the payload and do not expose the underlying data.
This vulnerability is similar to VU#968818, CVE-2004-0935 but requires unique unpacking tools to enable any abuse or misuse.
Impact
This ZIP header obfuscation method requires custom tooling to fully recover the concealed malicious content. The impact of this obfuscation technique is limited to systems where other security policies (e.g., running arbitrary unzipping tools) may need to be bypassed to enable such an attack.
Solution
Antivirus and EDR vendors should consider alerting on such behavior to ensure their customers are aware of malformed headers in zip content. Users should not use third-party tools or custom unzip capabilities to allow malicious content to be installed on their systems.
Acknowledgements
Thanks to the reporter, Christopher Aziz. This document was written by Laurie Tyzenhaus.
Vendor Information
Other Information
| Date Public: | 2004-12-10 |
| Date First Published: | 2026-03-09 |
| Date Last Updated: | 2026-03-24 20:27 UTC |
| Document Revision: | 4 |
-
JVNRSS Feed - Update Entry
- Improper file access permission settings in multiple Digital Arts products