Image Main

A newly disclosed security vulnerability affecting 7-Zip is being actively exploited in practice, according to an advisory issued by the United Kingdom’s NHS England Digital. The vulnerability allows remote attackers to execute arbitrary code on affected systems.

Vulnerability Details (CVE-2025-11001)

The primary vulnerability, identified as CVE-2025-11001 (with a CVSS score of 7.0), lies in the handling of symbolic links within ZIP files.

  • Exploitation Mechanism: Attackers can create crafted data within a ZIP archive that forces the decompression process to traverse unwanted directories.
  • Impact: Allows remote code execution (RCE) in the context of the affected user or service account.
  • Discovery: The flaw was discovered and reported by Ryota Shiga of GMO Flatt Security Inc., with the help of the AI-powered AppSec Auditor Takumi audit tool.

The 7-Zip version 25.00 update also addresses another similar flaw, CVE-2025-11002 (CVSS score of 7.0). This vulnerability also exploits improper handling of symbolic links in ZIP files to achieve directory traversal and RCE. Both flaws were introduced in 7-Zip version 21.02.

Active Exploitation Context

Although NHS England Digital has confirmed active exploitation of CVE-2025-11001, no specific details have yet been provided about how it is being used in attacks, who the attackers are or in what contexts.

Dominik (pacbypass), a security researcher who published a proof of concept (PoC) for the flaw, noted the following limitations of the exploit:

  • Required Conditions: The vulnerability can only be exploited from the context of an elevated user, a service account, or on a machine with developer mode enabled.
  • Platform Affected: Exploitation is only possible on Windows operating systems.

Conclusion

Since a public proof of concept (PoC) exists for the vulnerability, and active exploitation has been confirmed in practice, it is critical that 7-Zip users apply the necessary fixes as soon as possible.

The fix for both vulnerabilities (CVE-2025-11001 and CVE-2025-11002) is available in 7-Zip version 25.00, released in July 2025.

References

  • CVE-2025-11001: Remote code execution vulnerability due to symbolic link handling.
  • CVE-2025-11002: Remote code execution vulnerability due to symbolic link handling.
  • Fix Version: 7-Zip version 25.00.
  • Alert Source: NHS England Digital.