Someone called “NSA_Employee39” just dropped a 7-Zip 0day with some nasty potential, especially around Infostealer & supply chain attacks ⬇️

So this guy who seems to have serious exploitation experience just dropped an ACE 0day for 7-Zip, which can easily be weaponized by threat actors, especially in the Infostealers space.

Full blog (3 minutes read!) - https://www.infostealers.com/article/7-zip-zero-day-exploit-released-by-hacker-a-new-playground-for-infostealer-supply-chain-attacks/

This vulnerability in 7-Zip allows an attacker to create a malicious .7z file that, when opened or extracted in the latest version of 7-Zip, runs the attacker's code on the victim's computer.

In the context of Infostealers delivery, threat actors typically make victims open a password protected .rar/.zip files, so with this exploit they could potentially just get you to open the archive to get infected.

In another context, if for example your organization has some automation around 7zip files from third parties, if a hacker infiltrates into a supply chain they could change the 7zips into malicious ones and do some real nasty stuff, hope we don’t get there.

The challenge for hackers would be to have the malicious code running in a very limited space (100-200 bytes), and if done correctly, it could be very bad.

Love to hear more thoughts around this, I’m not in the 0days game.

Exploit source - https://pastebin.com/KxQYFqwR

The same hacker is also going to release a mybb 0day which is going to be used for breaching a lot of forums and leaking their databases.

Edit: Author of 7-ZIP is disputing the legitimacy of the reported 0-day, this article will get updated as soon as we have more information