A critical vulnerability in 7-Zip, tracked as CVE-2025-11001, has raised alarms in the cybersecurity community due to its potential for remote code execution through mishandled symbolic links in ZIP files.
This flaw affects all versions of the popular open-source file archiver before 25.00, allowing attackers to craft malicious archives that escape extraction boundaries and execute arbitrary code under the user’s privileges.
Originally reported with claims of active exploitation, recent updates from authorities such as NHS England’s National CSOC clarify that no in-the-wild attacks have been observed.
However, a public proof-of-concept exploit heightens the risk of future abuse.
The vulnerability stems from improper validation of symbolic links during ZIP file parsing, enabling directory traversal that writes files to unintended locations on Windows systems.
When a user extracts a specially crafted ZIP archive, 7-Zip follows these links outside the target folder, potentially overwriting system files or injecting payloads that trigger code execution.
Exploitation requires user interaction, such as opening the archive. However, it succeeds in elevated contexts, such as service accounts or machines running in developer mode, making it dangerous for enterprise environments.
Discovered by researchers Ryota Shiga from GMO Flatt Security and AI tool Takumi, the issue earned a CVSS v3 score of 7.0 for its high impact on confidentiality, integrity, and availability.
While initial alerts suggested ongoing attacks, a November 20, 2025, correction removed those references, emphasizing the PoC’s availability as the primary concern.
Affected Platforms and Technical Breakdown
7-Zip versions before 25.00 on Windows are vulnerable, as the flaw exploits the ZIP handler’s failure to canonicalize paths properly during symlink resolution.
Attackers embed symbolic links in ZIP entries pointing to sensitive directories, such as system32, allowing file writes that could load DLLs or scripts for RCE without additional privileges beyond the extraction user.
The PoC, released by researcher Dominik (pacbypass), demonstrates this by creating a ZIP that traverses arbitrary paths.
However, real-world exploits might chain it via social engineering in email attachments.
No Linux or macOS impacts are noted, limiting the scope to Windows deployments in automated extraction workflows.
Organizations using 7-Zip for bulk file handling face elevated risks, as traversal could lead to data exfiltration or ransomware if combined with other flaws.
This table summarizes key CVE attributes and highlights the need to apply immediate patches to block symlink abuse.
Remediation and Ongoing Threat Landscape
To mitigate CVE-2025-11001, users must upgrade to 7-Zip 25.00 or later, which enforces strict path checks and blocks the escape of symlinks during extraction.
The update, released in July 2025, also fixes a related flaw, CVE-2025-11002, sharing the same CVSS score and exploitation vector.
Beyond patching, turn off automatic archive handling in email clients and scan incoming ZIPs with antivirus tools trained on symlink patterns.
The Zero Day Initiative’s advisory (ZDI-25-949) provides definitive technical details and urges vigilance despite no confirmed wild exploits.
As threat actors monitor public PoCs, proactive updates remain essential to prevent potential supply-chain or phishing outbreaks.
With over 100 million downloads, 7-Zip’s ubiquity underscores the urgency of widespread adoption of the fix.
