A remote code execution vulnerability, tracked as CVE-2025-11001, in the 7-Zip software is under active exploitation.
A new 7-Zip flaw tracked as CVE-2025-11001 (CVSS score of 7.0) is now being actively exploited in the wild, NHS England warns. Remote attackers can trigger the vulnerability to execute arbitrary code on affected installations of 7-Zip.
“Active exploitation of CVE-2025-11001 has been observed in the wild.” reads the alert published by NHS. “A security researcher has also publicly released a proof-of-concept (PoC) exploit for CVE-2025-11001. The PoC allows attackers to abuse symbolic-link handling to write files outside of the intended extraction folder, which in some scenarios, can enable arbitrary code execution.”
Malicious ZIP symlinks let attackers escape target folders and run code with the service account’s permissions.
“This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this product is required to exploit this vulnerability but attack vectors may vary depending on the implementation.” reads the advisory. “The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of a service account.”
The researchers Ryota Shiga (GMO Flatt Security Inc.) with takumi-san.ai reported the vulnerability.
Version 25.00, released in July 2025, addressed the vulnerability.
“This vulnerability can only be exploited from the context of an elevated user / service account or a machine with developer mode enabled.” wrote security researcher Dominik (aka pacbypass), who released a PoC. “This vulnerability can only be exploited on Windows”
7-Zip users are recommended to quickly upgrade their version due to the availability of proof-of-concept (PoC) exploits.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CVE-2025-11001)
