ZIP compressed files have serious vulnerabilities, and 50 mainstream anti-virus software have been deceived

Among compression software user groups, there is often a debate between WinRAR and 7-Zip. However, a recently exposed underlying vulnerability has put all users in crisis at the same time. Chris Aziz, a researcher at the cybersecurity company Bombadil Systems, discovered and exposed a serious security vulnerability called "Zombie ZIP". Currently, none of the 50 mainstream antivirus engines on VirusTotal can recognize such problematic ZIP files.

This vulnerability exploits flaws in the underlying logic of compressed files. No matter which decompression tool the user uses, as long as a specially tampered malicious ZIP package is opened and the files in it are clicked, the hacker can execute the code and seize control of the system.

The core of this vulnerability lies in the forgery of ZIP file headers. Research points out that most anti-virus engines blindly trust the "Method" (compression method) field in compressed packages when scanning them.

The hacker deliberately set this field to 0, which represents the uncompressed state, inducing the anti-virus engine to think that the file is in the original storage mode and skip the decompression scan. Only a bunch of confusing "compression noise" is read, and the entrained malicious program signature cannot be identified at all.

At the same time, hackers targeted the error reporting mechanisms of WinRAR, 7-Zip and other tools by deliberately setting the CRC check value to the value in the uncompressed state, but embedded a custom DEFLATE algorithm loader in the ZIP file, causing the decompression tool to directly ignore the forged file header and release the hidden malicious code.

This double deception method achieves a near-perfect stealth effect. The anti-virus software misjudges that the file is safe, and the decompression tool releases the malicious program normally, and the user clicks to execute it and is tricked.

The Computer Emergency Response Team Coordination Center (CERT/CC) has assigned the vulnerability the number CVE-2026-0866, noting that it is highly similar to the CVE-2004-0935 vulnerability that affected early ESET antivirus software more than 20 years ago.

CERT/CC warns that anti-virus engines should not blindly trust the Method header of ZIP files and must cross-verify the compression field with the actual data and add a mechanism to identify compressed packages with abnormal structure.

Before the manufacturer releases a patch, users should be extremely cautious when dealing with ZIP files of unknown origin, and do not click on any files inside easily.