You are currently viewing 7-Zip Users at Risk: Symbolic Link Vulnerability Triggers RCE Attacks

7-Zip Users at Risk: Symbolic Link Vulnerability Triggers RCE Attacks

A security vulnerability in the widely used 7-Zip file archiver has recently come under active exploitation. The flaw, identified as CVE-2025-11001, poses a significant risk as it allows for remote code execution. This issue has prompted warnings from cybersecurity entities, including NHS England Digital, urging users to update to the latest version of 7-Zip to mitigate potential threats.

Root Cause

The root cause of CVE-2025-11001 lies in the improper handling of symbolic links within ZIP archives. This vulnerability, which carries a CVSS score of 7.0, can be exploited when 7-Zip processes a specially crafted ZIP file. By manipulating symbolic links within the archive, an attacker can cause 7-Zip to traverse to unintended directories during extraction. This directory traversal can then be leveraged to execute arbitrary code within the context of the service account running 7-Zip.

The vulnerability was introduced in 7-Zip version 21.02, highlighting the importance of staying current with software updates even for well-established tools. It was discovered and reported by Ryota Shiga from GMO Flatt Security Inc., with assistance from their AI-powered AppSec Auditor Takumi.

Impact & Exploit Potential

The impact of this vulnerability is substantial, as successful exploitation can lead to remote code execution. An attacker can craft a malicious ZIP archive containing symbolic links that, when processed by a vulnerable version of 7-Zip, allow the attacker to write files outside the intended extraction folder. In certain scenarios, this can enable arbitrary code execution, effectively granting the attacker control over the affected system.

NHS England Digital has confirmed that active exploitation of CVE-2025-11001 has been observed in the wild. While specific details on the exploitation methods remain undisclosed, the existence of a publicly available proof-of-concept (PoC) exploit significantly increases the risk, making it easier for malicious actors to weaponize the vulnerability.

It is important to note that according to security researcher Dominik (aka pacbypass), the vulnerability can only be exploited from the context of an elevated user/service account or a machine with developer mode enabled, and it is limited to Windows platforms.

Tactics, Techniques, and Procedures (TTPs)

Attackers are exploiting the 7-Zip vulnerability CVE-2025-11001 using the following tactics, techniques and procedures:

  • TA0005 – Execution: Attackers exploit the 7-Zip vulnerability to execute arbitrary code on a vulnerable system.
  • T1203 – Exploitation for Client Execution: Attackers leverage the 7-Zip software to execute malicious code through crafted ZIP files.

Mitigation & Recommendations

Given the active exploitation and the availability of a PoC, immediate action is required to mitigate the risk posed by CVE-2025-11001. The primary recommendation is to update 7-Zip to version 25.00 or later. This version, released in July 2025, includes the necessary fixes to address the symbolic link handling vulnerability.

To ensure the security of your systems, consider the following:

  • Promptly update 7-Zip: Upgrade to version 25.00 or later as soon as possible.
  • Exercise caution with ZIP files: Be wary of opening ZIP files from untrusted sources, especially if you are running 7-Zip with elevated privileges or have developer mode enabled.
  • Monitor for suspicious activity: Keep an eye on system logs and monitor for any unusual processes or file modifications that might indicate exploitation.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.