Overview

Malformed ZIP headers can cause antivirus and endpoint detection and response software (EDR) to produce false negatives. Despite the presence of malformed headers, some extraction software is still able to decompress the ZIP archive, allowing potentially malicious payloads to run upon file decompression.

Description

ZIP archives contain metadata such as compression method, flags, and version information. Antivirus engines typically rely on this metadata to determine how to preprocess files before scanning. If an attacker modifies the compression method field, antivirus software may fail to properly decompress the file, and will therefore be unable to analyze the actual payload.

After antivirus evasion, the payload can be recovered by using a custom loader that ignores the declared Method field and instead decompresses embedded data directly. This allows the attacker to hide malicious content from antivirus engines while still being able to recover it programmatically.

Notably, standard extraction tools (e.g.: 7‑Zip, unzip, bsdtar, Python’s zipfile) trust the declared compression method and attempt decompression, but then fail with CRC or “unsupported method” errors. These tools do not extract the payload and do not expose the underlying data.

This vulnerability is similar to VU#968818, CVE-2004-0935.

Impact

A remote attacker may craft a ZIP archive with tampered metadata that prevents antivirus or EDR software from properly decompressing and inspecting its contents. The file can thereby evade full analysis, though many products will still flag it as corrupted. To execute malicious code, however, a user must extract or further process the archive. Standard extraction tools may or may not reveal the hidden payload. It is possible that a custom loader that ignores the declared compression method could recover and execute the concealed content.

Solution

Antivirus and EDR vendors should not rely solely on declared archive metadata to determine content handling. Scanners should have more aggressive detection modes to validate compression method fields against actual content characteristics, and flag inconsistencies for further inspection. Users are encouraged to contact their antivirus or EDR providers to identify whether they are vulnerable and obtain guidance on additional mitigation options.

Acknowledgements

Thanks to the reporter, Christopher Aziz. This document was written by Laurie Tyzenhaus.

Vendor Information

References

• https://github.com/bombadil-systems/zombie-zip
• https://kb.cert.org/vuls/id/968818
• https://www.cvedetails.com/cve/CVE-2004-0935/

Overview

The Rakuten Viber messaging app for Android V25.7.2.0g and Windows V25.6.0.0-V25.8.1.0, has a flaw in its TLS handshake implementation when using the Cloak proxy configuration. This flaw allows for easy identification of proxy usage, potentially compromising user anonymity.

Description

Rakuten Viber can be configured to use a proxy server. Multiple proxy configurations, including Cloak, are supported. Rakuten Viber in Android V25.7.2.0g and Windows V25.6.0.0–V25.8.1.0 exhibits a flaw in the TLS handshake implementation for Cloak mode. Cloak mode is designed to hide the fact that a proxy or VPN is in use. However, the Cloak proxy mode has a rigid and easily identified fingerprint, making it trivially identifiable by Deep Packet Inspection (DPI) systems. This allows networks to block Viber traffic, undermining the app's ability to circumvent censorship and potentially leading to denial of service in certain cases.

Impact

The Cloak-mode proxy traffic fails to hide the use of a proxy. The outgoing data is easily identifiable due to the rigid fingerprint and no longer appears to be normal browser TLS behavior. The user has no indication the proxy is not protecting their data.

Solution

Windows users should upgrade to V27.3.0.0 or later, and Android users should upgrade to V27.2.0.0g or later. For continued support, Windows users can implement automatic updates for Viber.

Acknowledgements

Thanks to the reporter Oleksii Gaienko, an independent security researcher. This document was written by Laurie Tyzenhaus.

Vendor Information

References

• https://www.viber.com/en/download/
• https://www.viber.com/en/download-android-update/

Overview

A command injection vulnerability was identified in the MS-Agent framework that can be triggered through unsanitized prompt-derived input. An attacker can craft untrusted input introduced via a chat prompt or other external content sources, resulting in arbitrary command execution on the target system(s) where the MS-Agent framework is deployed. No patch or vendor statement was obtained during the coordination process.

Description

MS-Agent is a lightweight framework that enables agents to perform autonomous task execution and tool invocation. The MS-Agent framework includes several features, including a Shell tool that enables execution of commands on the target operating system to complete agentic actions.

A vulnerability has been identified that allows unsanitized input to be executed through the Shell tool. This occurs because the software does not sufficiently verify and sanitize content before execution. As a result, an attacker can leverage prompt injection techniques to influence the agent into executing unintended shell commands when interacting with attacker-controlled content.

The Shell tool relies on regular expression–based filtering in the check_safe() method, which is intended to restrict unsafe commands. The implemented default denylist can be bypassed, allowing crafted input to evade validation checks and reach the shell execution layer.

The vulnerability is tracked as:

CVE-2026-2256
Command injection vulnerability in ModelScope's ms-agent allows an attacker to execute arbitrary operating system commands through crafted prompt-derived input.

This vulnerability may be exploited when the agent is instructed to process or retrieve external content, such as analyzing code, summarizing documents, or performing other tasks that involve interacting with attacker-controlled data. If the retrieved or processed content contains malicious command sequences that bypass the check_safe() validation, the agent may forward those commands to the Shell tool for execution.

The use of a regular expression denylist in the check_safe() method is insufficient to prevent command injection. Denylist-based filtering is inherently fragile and can often be bypassed through encoding, command obfuscation, or alternative shell syntax. In this case, the filtering logic can be circumvented, enabling arbitrary command execution within the execution context of the agent process.

Impact

An attacker who successfully exploits this vulnerability may execute arbitrary operating system commands on the target with the privileges of the MS-Agent process. This may allow modification of system files, lateral movement within the environment, establishment of persistence mechanisms, or exfiltration of sensitive data accessible to the agent.

Solution

No statement was provided by the vendor during coordination efforts. Users should deploy MS-Agent only in environments where ingested content is trusted, validated, or sanitized. Agents with shell execution capabilities should be sandboxed or executed with least-privilege permissions. Additional mitigation strategies include replacing denylist-based filtering with strict allowlists and implementing stronger isolation boundaries for tool execution.

Acknowledgements

Thanks to the reporter, Itamar Yochpaz, for this report. Document written by Christopher Cullen.

Vendor Information

References

• https://medium.com/@itamar.yochpaz/cve-2026-2256-from-ai-prompt-to-full-system-compromise-a4114c718326
• https://github.com/Itamar-Yochpaz/CVE-2026-2256-PoC