CVE-2025-33027 : In Bandisoft Bandizip through 7.37, there is a Mark-of-the-Web Bypass Vulnerabil

In Bandisoft Bandizip through 7.37, there is a Mark-of-the-Web Bypass Vulnerability. This vulnerability allows attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of Bandizip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of archived files. When extracting files from a crafted archive that bears the Mark-of-the-Web, Bandizip does not propagate the Mark-of-the-Web to the extracted files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user.

Published 2025-04-15 00:00:00

Updated 2025-04-25 16:54:53

Source MITRE

View at NVD, CVE.org

Vulnerability category: Execute code

Products affected by CVE-2025-33027

Bandisoft » Bandizip
Versions up to, including, (<=) 7.37
cpe:2.3:a:bandisoft:bandizip:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2025-33027

EPSS FAQ

0.04%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 9 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2025-33027

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
6.1	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	N/A	N/A	MITRE	2025-04-15
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None
6.1	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	2.8	2.7	MITRE	2025-04-15
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	1.8	5.9	NIST	2025-04-25
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2025-33027

CWE-829 Inclusion of Functionality from Untrusted Control Sphere

The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

Assigned by: nvd@nist.gov (Primary)
CWE-830 Inclusion of Web Functionality from an Untrusted Source

The product includes web functionality (such as a web widget) from another domain, which causes it to operate within the domain of the product, potentially granting total access and control of the product to the untrusted source.
Assigned by:
- 8254265b-2729-46b6-b9e3-3dfca2d5bfca (Primary)
- cve@mitre.org (Secondary)

References for CVE-2025-33027

https://en.bandisoft.com/bandizip/

Product
https://github.com/EnisAksu/Argonis/blob/main/CVEs/CVE-2025-33027%20%28Bandizip%29/CVE-2025-33027.md

Third Party Advisory

Jump to

Vulnerability Details : CVE-2025-33027

Products affected by CVE-2025-33027

Exploit prediction scoring system (EPSS) score for CVE-2025-33027

CVSS scores for CVE-2025-33027

CWE ids for CVE-2025-33027

References for CVE-2025-33027