Hackers are actively exploiting a critical remote code execution (RCE) vulnerability in the widely used file archiver 7-Zip, putting millions of users at risk of malware infections and system compromise.
What Is CVE-2025-11001?
The flaw, tracked as CVE-2025-11001, stems from improper handling of symbolic links in ZIP archives, enabling attackers to traverse directories and execute arbitrary code on vulnerable systems.
- Severity: CVSS v3 score of 7.0 (High)
- Disclosure Date: October 2025
- Impact: Exploitation does not require elevated privileges, making it highly dangerous.
How the Exploit Works
When parsing ZIP files containing crafted symbolic links, 7-Zip can be tricked into writing files outside the intended extraction directory. This allows attackers to:
- Overwrite critical system files
- Inject malicious payloads
- Achieve full code execution under the user or service account running 7-Zip
Researchers at Trend Micro’s Zero Day Initiative (ZDI) warn that attackers can even escape sandboxed environments, posing severe risks for automated file processing in enterprise workflows.
Proof-of-Concept & Active Exploitation
The vulnerability was discovered by Ryota Shiga of GMO Flatt Security Inc., using their AI-powered AppSec Auditor tool, and reported to 7-Zip developers.
A public proof-of-concept (PoC) exploit now exists, lowering the barrier for threat actors. Real-world attacks have already been observed, leveraging:
- Phishing campaigns
- Drive-by downloads
- Minimal user interaction (just opening or extracting a malicious archive)
Related Vulnerability: CVE-2025-11002
7-Zip version 25.00, released in July 2025, also patched CVE-2025-11002, a related flaw with the same root cause and CVSS score. Both vulnerabilities affect versions 21.02 and earlier, impacting over 100 million Windows users worldwide.
Who Is at Risk?
- Healthcare and finance sectors (frequent file handling)
- Organizations using automated extraction workflows
- Any Windows system running 7-Zip prior to v25.00
The U.K.’s NHS England Digital issued an urgent advisory on November 18, 2025, confirming active exploitation and urging immediate updates.
Potential Attack Scenarios
- Deploying ransomware
- Stealing sensitive data
- Establishing persistent backdoors
- Supply chain attacks via compromised archives shared internally or externally
How to Mitigate the Risk
Update 7-Zip to version 25.00 or later from the official website. The patch enforces stricter path canonicalization, preventing symbolic links from escaping extraction boundaries.
- Affected Platforms: All Windows versions running 7-Zip prior to 25.00
- Linux/macOS: No reported impact yet
Key Takeaways
- CVE-2025-11001 and CVE-2025-11002 are actively exploited RCE vulnerabilities in 7-Zip.
- Attackers use malicious ZIP archives to achieve directory traversal and code execution.
- Immediate patching to version 25.00 or later is critical to prevent compromise.
