CVE-2025-33027 is a vulnerability identified in Bandisoft Bandizip versions through 7.37, related to the improper handling of the Mark-of-the-Web (MotW) security feature. MotW is a Windows security mechanism that tags files downloaded from the internet or other untrusted sources to warn users and restrict certain actions. Bandizip fails to propagate the MotW attribute from archived files to the extracted files. This flaw allows attackers to craft malicious archives that, when extracted, produce files without the MotW tag, effectively bypassing Windows security warnings and restrictions. The vulnerability is classified under CWE-830, which involves the inclusion of web functionality from untrusted sources, potentially enabling execution of malicious web content or scripts. Exploitation requires user interaction, such as opening a malicious archive or visiting a malicious webpage that triggers archive extraction. Successful exploitation can lead to arbitrary code execution in the context of the current user, potentially compromising confidentiality and integrity of user data. The CVSS v3.1 base score is 6.1 (medium), reflecting network attack vector, low attack complexity, no privileges required, but user interaction needed, with partial confidentiality and integrity impact and no availability impact. No public exploits are currently known, and the vulnerability is disputed regarding the security implications of MotW propagation. However, the risk remains significant for users who extract files from untrusted sources using Bandizip.

For European organizations, this vulnerability poses a moderate risk primarily to end-user systems where Bandizip is used to extract files from untrusted or external sources. Successful exploitation can lead to arbitrary code execution with the privileges of the current user, potentially enabling attackers to install malware, steal sensitive information, or move laterally within a network. The bypass of MotW reduces the effectiveness of Windows security warnings, increasing the likelihood of users executing malicious files unknowingly. Sectors with high reliance on compressed archives, such as finance, government, and critical infrastructure, may face increased exposure. Although the vulnerability does not allow privilege escalation or direct availability impact, the confidentiality and integrity of data can be compromised. The requirement for user interaction limits automated exploitation but does not eliminate risk, especially in environments with frequent file exchanges or phishing campaigns. The absence of known exploits in the wild suggests limited current threat but does not preclude future exploitation.

European organizations should implement the following specific mitigations: 1) Monitor Bandisoft announcements and apply patches promptly once available to address CVE-2025-33027. 2) Enforce strict policies on handling archives from untrusted or unknown sources, including scanning all compressed files with updated antivirus and endpoint detection tools before extraction. 3) Educate users about the risks of opening archives from untrusted origins and the importance of heeding security warnings, even if MotW is bypassed. 4) Consider restricting Bandizip usage to trusted users or replacing it with archive tools that correctly propagate MotW attributes. 5) Implement application whitelisting and execution control policies to prevent unauthorized code execution from user directories where extracted files reside. 6) Employ network-level protections such as email filtering and web content filtering to reduce the delivery of malicious archives. 7) Use endpoint detection and response (EDR) solutions to detect suspicious behaviors related to archive extraction and code execution. These measures, combined with user awareness, will reduce the risk of exploitation beyond generic advice.