An X user claimed to have discovered a zero-day vulnerability in the popular file compression software 7-Zip on Monday. The user, operating under the handle @NSA_Employee39, stated they would be revealing various “0days” throughout the week as a token of appreciation for gaining over 1,400 new followers. The alleged vulnerability was described as an arbitrary code execution (ACE) flaw.
This would theoretically allow an attacker to run any code on a victim’s device. The purported exploit code, consisting of 90 lines, was shared on Pastebin. Comments described it as using “a crafted .7z archive with a malformed LZMA stream to trigger a buffer overflow condition in the RC_NORM function.”
However, the security community quickly expressed skepticism about the claim.
No one was able to verify the exploit or get it to work as described.
Developer dismisses alleged zero-day claim
One expert commented, “Maybe I just suck but I don’t think this is real.”
Igor Pavlov, the developer of 7-Zip, responded to the claims in the 7-Zip discussion forum.
He dismissed the report as fake, stating, “This report on Twitter is fake. And I don’t understand why this Twitter user did this. There is no such ACE vulnerability in 7-Zip / LZMA.”
Pavlov pointed out that the code referenced in the exploit does not exist within the LZMA decoder of 7-Zip.
“The technical details provided are incorrect, and it appears this code was generated by an AI,” he explained. Attempts to contact the @NSA_Employee39 account on social media for comments were unsuccessful. Despite the initial excitement generated, expert consensus suggests the claimed zero-day vulnerability is likely a hoax.
The cybersecurity community remains vigilant for legitimate threats while advising caution around unverified claims.
