Close Menu

    Subscribe to Updates

    Get the latest tech news from Tallwire.

      What's Hot

      Safely Recycling an Old PC Starts With Protecting Your Data

      July 17, 2026

      Architects Look to Beautify Data Centers as AI Expansion Sparks Local Resistance

      July 17, 2026

      The AI Gold Rush’s House of Cards: When Financial Engineering Begins to Eclipse Innovation

      July 17, 2026
      Facebook X (Twitter) Instagram
      • Tech
      • AI
      • Get In Touch
      Facebook X (Twitter) LinkedIn
      TallwireTallwire
      • Tech

        Safely Recycling an Old PC Starts With Protecting Your Data

        July 17, 2026

        Trump Takes Measured Approach to Winning the Quantum Race

        July 17, 2026

        U.N. Chief Renews Push for Global Ban on Autonomous AI Weapons

        July 17, 2026

        Aviation Industry Seeks to Rebrand “Drones” as Consumer and Passenger Flight Technologies

        July 16, 2026

        U.S. Biotechs Turn to Secrecy as China Accelerates Drug Development Race

        July 16, 2026
      • AI

        Architects Look to Beautify Data Centers as AI Expansion Sparks Local Resistance

        July 17, 2026

        U.N. Chief Renews Push for Global Ban on Autonomous AI Weapons

        July 17, 2026

        China Uses Open-Source AI Push to Expand Global Influence

        July 17, 2026

        Starbucks’s AI Shift Signals Growing Revolt Against Legacy Enterprise Software

        July 16, 2026

        New AI Safety Proposal Calls for U.S.-China Pause on Frontier AI Development

        July 16, 2026
      • Security

        Safely Recycling an Old PC Starts With Protecting Your Data

        July 17, 2026

        U.N. Chief Renews Push for Global Ban on Autonomous AI Weapons

        July 17, 2026

        China Uses Open-Source AI Push to Expand Global Influence

        July 17, 2026

        New AI Safety Proposal Calls for U.S.-China Pause on Frontier AI Development

        July 16, 2026

        Social Media Ban Proposal Sparks Fears of Collateral Damage for Educational Technology Firms

        July 16, 2026
      • Health

        AI Chatbots Face Growing Scrutiny as Mental Health Risks Draw Medical Alarm

        July 16, 2026

        AI Chatbots Increasingly Clash With Eating Disorder Treatment

        July 15, 2026

        Personalized UVB Device Promises Vitamin D Benefits While Raising Questions About Medicalizing Everyday Health

        July 15, 2026

        Humanoid Robots Complete First Live Surgical Procedures in Medical Milestone

        July 14, 2026

        Meta Patent Ignites Fresh Fears Over AI-Powered Emotional Surveillance

        July 14, 2026
      • Science

        Trump Takes Measured Approach to Winning the Quantum Race

        July 17, 2026

        AI Chatbots Face Growing Scrutiny as Mental Health Risks Draw Medical Alarm

        July 16, 2026

        U.S. Biotechs Turn to Secrecy as China Accelerates Drug Development Race

        July 16, 2026

        Scientists Advance “StormWall” Concept to Defend Earth from Catastrophic Solar Storms

        July 15, 2026

        Personalized UVB Device Promises Vitamin D Benefits While Raising Questions About Medicalizing Everyday Health

        July 15, 2026
      • Tech

        AI Protesters March on Silicon Valley Giants Demanding Development Freeze

        July 14, 2026

        Palo Alto Networks CEO Warns AI Costs Must Plunge Before Enterprise Adoption Can Accelerate

        July 14, 2026

        DeepMind Unionization Effort Encounters Early Resistance as Labor Talks Stall

        July 11, 2026

        Always-On Workplace Culture Pushes Employees Toward the Breaking Point

        July 10, 2026

        High-Income Families Embrace AI-Driven Schools as Alternative Education Expands

        July 9, 2026
      TallwireTallwire
      Home»Tech»Critical 7-Zip Vulnerability With Public Exploit Requires Manual Update
      Tech

      Critical 7-Zip Vulnerability With Public Exploit Requires Manual Update

      4 Mins Read
      Facebook Twitter Pinterest LinkedIn Tumblr Email
      Critical 7-Zip Vulnerability With Public Exploit Requires Manual Update
      Critical 7-Zip Vulnerability With Public Exploit Requires Manual Update
      Share
      Facebook Twitter LinkedIn Pinterest Email

      A newly discovered zero-day vulnerability in the widely used archive tool 7-Zip (tracked as CVE-2025-11001 and a related flaw CVE-2025-11002) allows attackers to exploit how the software handles symbolic links inside ZIP files to perform directory traversal and remote code execution. According to advisories from the Zero Day Initiative (ZDI), these flaws carry a CVSS base score of 7.0 and were patched in version 25.00, yet many systems remain vulnerable because 7-Zip lacks an automated update mechanism. The National Health Service England (NHS England) confirmed that a proof-of-concept exploit is publicly available and that some attacks exploiting the flaw may already be taking place. The urgent takeaway is that users and administrators must manually install version 25.01 (or newer) of 7-Zip immediately and apply standard security mitigations for archive file processing.

      Sources: Hack Read, Hacker News

      Key Takeaways

      – The vulnerabilities (CVE-2025-11001 and CVE-2025-11002) stem from improper handling of symbolic links in ZIP files by 7-Zip, enabling directory traversal and potentially remote code execution.

      – Though patched in version 25.00 (and superseded by 25.01), the lack of an internal automatic update mechanism means many users remain exposed.

      – A public proof-of-concept exploit is available and the NHS has issued an alert, making timely manual patching and cautious handling of archive files critical.

      In-Depth

      The widely adopted file archiver software 7‑Zip has come under fresh scrutiny due to two high-severity vulnerabilities that threaten both individual users and enterprise environments. Identified as CVE-2025-11001 and CVE-2025-11002, the flaws exploit how 7-Zip handles symbolic links embedded in ZIP archives. Attackers can craft a malicious archive such that when extracted, it traverses outside the intended extraction directory and writes files to unauthorized locations—potentially enabling arbitrary code execution in the context of a service or privileged account. The advisory from the Zero Day Initiative states that “crafted data in a ZIP file can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of a service account.”

      While these bugs were fixed by the 7-Zip developer (version 25.00) in July 2025, public disclosure only occurred in October, meaning many users were vulnerable for months. Compounding the problem, 7-Zip lacks an automatic update mechanism, so installations—especially portable or unmanaged ones—often remain on outdated builds. Security publications note that numerous systems “escape patch management” because of this.

      The reality of exploit risk has now increased: the NHS England alert confirms a public proof-of-concept (PoC) exploit exists and notes potential active exploitation, even though definitive in-the-wild campaign details remain limited. Given 7-Zip’s broad use across Windows desktops and servers—often for compressed files sent via email, network shares or downloads—the attack surface is significant. It takes only minimal user interaction (opening or extracting an archive) to trigger the vulnerability, which further lowers the barrier for attackers.

      For users and organizations, the mitigation strategy is clear: locate all installations of 7-Zip (including unmanaged or portable copies), determine their version (versions prior to 25.00 are susceptible), and manually update to version 25.01 or newer. Until patched, treat any ZIP files from untrusted sources with high caution: scan them with updated antivirus tools, refuse to open them without assurance, and implement archive-file extraction policies. In enterprise settings, leverage deployment tools (e.g., Intune, SCCM) to push the update and ensure logging of archive-extraction activities.

      Despite the conservative CVSS score of 7.0, the combination of widespread use, a publicly available exploit, and a manual-update requirement elevates the operational risk substantially. For administrators juggling numerous endpoints, this vulnerability acts as a timely reminder: even mature tools like 7-Zip require vigilant patching and process oversight. From a conservative, right-leaning cybersecurity perspective, this reinforces the importance of layered defence, zero-trust handling of untrusted files, and swift manual responses when automatic updates are absent. Patch swiftly, restrict risky extraction behaviour, and you’ll shrink the window of exposure before attackers exploit the gap.

      Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
      Previous ArticleCreepy AI Chatbot PSA Sparks Debate On National AI Regulation
      Next Article Critical GeminiJack Zero-Click Vulnerability in Google Gemini Enterprise Exposed Corporate Data

      Related Posts

      Safely Recycling an Old PC Starts With Protecting Your Data

      July 17, 2026

      Trump Takes Measured Approach to Winning the Quantum Race

      July 17, 2026

      U.N. Chief Renews Push for Global Ban on Autonomous AI Weapons

      July 17, 2026

      Aviation Industry Seeks to Rebrand “Drones” as Consumer and Passenger Flight Technologies

      July 16, 2026
      Add A Comment
      Leave A Reply Cancel Reply

      Editors Picks

      Safely Recycling an Old PC Starts With Protecting Your Data

      July 17, 2026

      Trump Takes Measured Approach to Winning the Quantum Race

      July 17, 2026

      U.N. Chief Renews Push for Global Ban on Autonomous AI Weapons

      July 17, 2026

      Aviation Industry Seeks to Rebrand “Drones” as Consumer and Passenger Flight Technologies

      July 16, 2026
      Popular Topics
      Satya Nadella UAE Tech Viral spotlight Sundar Pichai Taiwan Tech Software Tesla Startup SpaceX Series B trending Samsung Tim Cook Satellite Tesla Cybertruck Series A Space starlink Stocks
      Major Tech Companies
      • Apple News
      • Google News
      • Meta News
      • Microsoft News
      • Amazon News
      • Samsung News
      • Nvidia News
      • OpenAI News
      • Tesla News
      • AMD News
      • Anthropic News
      • Elbit News
      AI & Emerging Tech
      • AI Regulation News
      • AI Safety News
      • AI Adoption
      • Quantum Computing News
      • Robotics News
      Key People
      • Sam Altman News
      • Jensen Huang News
      • Elon Musk News
      • Mark Zuckerberg News
      • Sundar Pichai News
      • Tim Cook News
      • Satya Nadella News
      • Mustafa Suleyman News
      Global Tech & Policy
      • Israel Tech News
      • India Tech News
      • Taiwan Tech News
      • UAE Tech News
      Startups & Emerging Tech
      • Series A News
      • Series B News
      • Startup News
      Tallwire
      Facebook X (Twitter) LinkedIn Threads Instagram RSS
      • Tech
      • Entertainment
      • Business
      • Government
      • Academia
      • Transportation
      • Legal
      • Press Kit
      © 2026 Tallwire. Optimized by ARMOUR Digital Marketing Agency.

      Type above and press Enter to search. Press Esc to cancel.