A newly discovered zero-day vulnerability in the widely used archive tool 7-Zip (tracked as CVE-2025-11001 and a related flaw CVE-2025-11002) allows attackers to exploit how the software handles symbolic links inside ZIP files to perform directory traversal and remote code execution. According to advisories from the Zero Day Initiative (ZDI), these flaws carry a CVSS base score of 7.0 and were patched in version 25.00, yet many systems remain vulnerable because 7-Zip lacks an automated update mechanism. The National Health Service England (NHS England) confirmed that a proof-of-concept exploit is publicly available and that some attacks exploiting the flaw may already be taking place. The urgent takeaway is that users and administrators must manually install version 25.01 (or newer) of 7-Zip immediately and apply standard security mitigations for archive file processing.
Sources: Hack Read, Hacker News
Key Takeaways
– The vulnerabilities (CVE-2025-11001 and CVE-2025-11002) stem from improper handling of symbolic links in ZIP files by 7-Zip, enabling directory traversal and potentially remote code execution.
– Though patched in version 25.00 (and superseded by 25.01), the lack of an internal automatic update mechanism means many users remain exposed.
– A public proof-of-concept exploit is available and the NHS has issued an alert, making timely manual patching and cautious handling of archive files critical.
In-Depth
The widely adopted file archiver software 7‑Zip has come under fresh scrutiny due to two high-severity vulnerabilities that threaten both individual users and enterprise environments. Identified as CVE-2025-11001 and CVE-2025-11002, the flaws exploit how 7-Zip handles symbolic links embedded in ZIP archives. Attackers can craft a malicious archive such that when extracted, it traverses outside the intended extraction directory and writes files to unauthorized locations—potentially enabling arbitrary code execution in the context of a service or privileged account. The advisory from the Zero Day Initiative states that “crafted data in a ZIP file can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of a service account.”
While these bugs were fixed by the 7-Zip developer (version 25.00) in July 2025, public disclosure only occurred in October, meaning many users were vulnerable for months. Compounding the problem, 7-Zip lacks an automatic update mechanism, so installations—especially portable or unmanaged ones—often remain on outdated builds. Security publications note that numerous systems “escape patch management” because of this.
The reality of exploit risk has now increased: the NHS England alert confirms a public proof-of-concept (PoC) exploit exists and notes potential active exploitation, even though definitive in-the-wild campaign details remain limited. Given 7-Zip’s broad use across Windows desktops and servers—often for compressed files sent via email, network shares or downloads—the attack surface is significant. It takes only minimal user interaction (opening or extracting an archive) to trigger the vulnerability, which further lowers the barrier for attackers.
For users and organizations, the mitigation strategy is clear: locate all installations of 7-Zip (including unmanaged or portable copies), determine their version (versions prior to 25.00 are susceptible), and manually update to version 25.01 or newer. Until patched, treat any ZIP files from untrusted sources with high caution: scan them with updated antivirus tools, refuse to open them without assurance, and implement archive-file extraction policies. In enterprise settings, leverage deployment tools (e.g., Intune, SCCM) to push the update and ensure logging of archive-extraction activities.
Despite the conservative CVSS score of 7.0, the combination of widespread use, a publicly available exploit, and a manual-update requirement elevates the operational risk substantially. For administrators juggling numerous endpoints, this vulnerability acts as a timely reminder: even mature tools like 7-Zip require vigilant patching and process oversight. From a conservative, right-leaning cybersecurity perspective, this reinforces the importance of layered defence, zero-trust handling of untrusted files, and swift manual responses when automatic updates are absent. Patch swiftly, restrict risky extraction behaviour, and you’ll shrink the window of exposure before attackers exploit the gap.