A new vulnerability that enables attackers to conceal malicious files inside specially constructed ZIP archives and potentially get around antivirus and endpoint detection and response (EDR) security tools has been revealed by security researchers This article explores zip archive malicious. . The problem, identified as CVE-2026-0866 and recorded in CERT Coordination Center Vulnerability Note VU#976247, demonstrates how altered archive metadata can hinder security scanners' ability to correctly analyze compressed files.

Malformed ZIP Headers Get Around Security Scanning ZIP archives have metadata that instructs programs on how to process and decompress the files they contain. Fields like the compression technique, version details, and file flags are included in this metadata. These values are usually used by antivirus and EDR systems to decide how to extract and scan an archive's contents.

Researchers discovered that the compression method field in the header of a ZIP file can be altered by attackers. Security software may not be able to properly decompress the archive if this field is changed. Because of this, the scanning engine is unable to access the embedded payload and may mistakenly identify the file as corrupted or safe.

Using specialized tools made to ignore the incorrect metadata, the malicious content can still be programmatically extracted in spite of the malformed header. This enables attackers to evade automated security inspection and hide malware inside the archive. A threat actor typically creates a ZIP archive with malicious code and purposefully alters the archive's metadata fields. In order to figure out how to decompress the archive, security tools try to read the header.

The scanner is unable to extract the contents and analyze the hidden payload due to manipulation of the compression method field. Nevertheless, using a custom loader that circumvents the declared compression method and directly decompresses the raw data, attackers can subsequently recover the embedded data. The hidden payload can be run on the target system after it has been extracted.

It's interesting to note that popular archive extraction tools like 7-Zip unzip bsdtar and Python's zipfile module typically rely on the stated compression technique within the ZIP header. These tools attempt decompression when the header contains manipulated values, but ultimately fail with errors like "unsupported compression method" or CRC verification failures. Consequently, the payload is concealed from both standard extraction tools and security scanners.

Vendors Affected and Mitigation Cisco is presently listed as impacted, according to CERT/CC, while the status of a number of other vendors, including Avast, Bitdefender, Avira, Baidu, and AVG, is still unknown. When scanning compressed files, security experts advise antivirus and EDR vendors not to rely only on declared archive metadata. Rather, detection engines ought to verify if the data structure in the archive corresponds with the compression method field.

Organizations and users can reduce risk by following these security practices: Consider corrupted or dubious ZIP archives as possible dangers. Refrain from opening archives that you have received from unreliable sources. Make sure your EDR and antivirus programs are up to date. Keep an eye out for patches or mitigation advice in vendor advisories.

Security researcher Christopher Aziz discovered the vulnerability, and Laurie Tyzenhaus of the CERT Coordination Center wrote the advisory. The finding emphasizes the need for more reliable archive inspection techniques in contemporary security tools as attackers continue to devise inventive evasion strategies.