Key Findings

• A critical vulnerability, tracked as CVE-2025-11001, has been discovered in the popular file-compression tool 7-Zip.

• The flaw, which is a Directory Traversal Remote Code Execution (RCE) vulnerability, has a public exploit available.

• The vulnerability poses a high-risk warning from the UK's NHS England Digital, though active exploitation has not been observed yet.

• The issue was discovered by researchers at GMO Flatt Security Inc. and revealed by Trend Micro's Zero Day Initiative (ZDI) last month.

Background

7-Zip is a free and open-source file archiving and compression utility widely used for its ability to handle various file formats. The vulnerability is related to how older versions of 7-Zip handle symbolic links inside ZIP files.

The Problem

• The flaw allows a specially crafted ZIP file to trick the program into traversing to unauthorized system directories during extraction, enabling an attacker to run arbitrary code.

• The issue has a CVSS risk score of 7.0 (High) and requires user interaction, as the target must open the malicious ZIP file.

• Exploitation can lead to a full system takeover, especially if the file is extracted under a high-level account, such as a service account or privileged user.

• 7-Zip's widespread use provides a vast attack surface of unpatched systems, making the vulnerability particularly dangerous.

Public Exploit and Malicious Activity

• Security researcher Dominik (pacbypass) publicly shared a working proof-of-concept (PoC) exploit, providing cybercriminals with an easy blueprint for attacks.

• Microsoft has tracked malicious activity linked to this vulnerability under the label "Exploit:Python/CVE 2025 11001.SA!MTB", indicating active use of the public code in malware campaigns.

Mitigation and Patching

• The vulnerability was fixed in version 25.00 of 7-Zip, released in July 2025.

• However, the software lacks an internal update mechanism, requiring users to manually update their 7-Zip installations to the latest version (25.01) or rely on enterprise tools, scripts, or deployment systems.

• The lack of automated patching means many systems are likely still running the older, vulnerable version, increasing the risk of exploitation.

Sources

• https://hackread.com/7-zip-vulnerability-public-exploit-manual-update/

• https://x.com/HackRead/status/1992579185429356919

• https://www.reddit.com/r/pwnhub/comments/1p4nqwn/critical_7zip_vulnerability_revealed_with_public/

• https://x.com/Dinosn/status/1992616955748970562

• https://www.reddit.com/r/InfoSecNews/comments/1p4lym8/critical_7_zip_vulnerability_with_public_exploit/