CVE-2025-11001 in 7-Zip Under Active Attack

Published Date: November 20, 2025
Category: ShadowOpsIntel
Share:

CVE-2025-11001 is a severe vulnerability in 7-Zip, discovered by Ryota Shiga (GMO Flatt Security Inc.), affecting versions prior to v25.00. The flaw enables directory traversal during ZIP extraction by abusing symbolic link (symlink) handling, leading to arbitrary file writes and potentially remote code execution (RCE). Exploitation has been observed in the wild, and a public PoC is available.

Severity: High

Vulnerability Details

  • CVE: CVE-2025-11001
  • CVSS Score: 7.0
  • Type: Directory Traversal → Symlink Abuse → Remote Code Execution (RCE)
  • Affected Component: 7-Zip ZIP File Extraction Module (ArchiveExtractCallback.cpp)
  • Affected Versions: All versions of 7-Zip prior to 25.00. The bug was introduced in v21.02.
  • Description: The flaw resides in the module responsible for converting Linux symbolic links to Windows ones when processing ZIP archives. Crafted data in a ZIP file exploits this weakness to cause the extraction process to traverse to unintended directories outside of the designated extraction folder.
  • Prerequisites for Exploitation: Minimal user interaction is required (e.g., extracting the crafted archive). Exploitation is possible primarily on Windows systems, and may require the context of an elevated user/service account or a machine with developer mode enabled for maximum impact.
  • Exploitation: An attacker crafts a malicious ZIP file containing symbolic link entries that escape directory boundaries. When a user extracts or opens this archive, the symbolic link is followed, allowing the attacker to write arbitrary files to critical system locations, which can then enable arbitrary code execution (RCE).

Recommendations

  1. Immediately upgrade to 7-Zip v25.00 or later.
  2. Educate users on ZIP phishing and dangers of extracting unknown archives.
  3. Block ZIP downloads from unknown or untrusted sources.
  4. Watch for file write attempts to unexpected system locations from 7z.exe or extraction utilities.

Source:

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.