Cybersecurity News Kinetic Potential

Recent 7-Zip Vulnerability Exploited in Attacks

Thu, 11/20/2025 - 09:30 / 0 Comments

Threat actors are exploiting a recently patched 7-Zip vulnerability that leads to remote code execution (RCE), NHS England warns.

The bug, tracked as CVE-2025-11001 (CVSS score of 7.0), is described as a file parsing directory traversal issue, and requires user interaction for successful exploitation.

The flaw impacts 7-Zip’s handling of symbolic links in ZIP files, as crafted data could be used to traverse to unintended directories during processing.

“An attacker can leverage this vulnerability to execute code in the context of a service account,” a Trend Micro Zero Day Initiative (ZDI) advisory reads. According to ZDI, attack vectors depend on implementation.

Ryota Shiga of GMO Flatt Security was credited for finding this security defect and an identical vulnerability tracked as CVE-2025-11002.

Both issues were reported to 7-Zip’s developers in May and were patched in 7-Zip version 25.00, which was released in July.

Now, NHS England, the National Health Service’s key governing body in England, warns that threat actors are targeting vulnerable 7-Zip installations in the wild.

“Active exploitation of CVE-2025-11001 has been observed in the wild,” the agency’s advisory reads, pointing out that a proof-of-concept (PoC) exploit targeting the bug is available.

“The PoC allows attackers to abuse symbolic-link handling to write files outside of the intended extraction folder, which in some scenarios, can enable arbitrary code execution,” NHS England notes.

According to security engineer Dominik C., the exploited vulnerability impacts the way 7-Zip versions 21.02 to 24.09 convert symbolic links from Linux to Windows, and can only be exploited on Windows systems.

Because the parser marks Linux symbolic links with Windows-style C:\ paths as relative but sets the link path to the full C:\ path, the issue can be exploited to bypass a check that prevents creating links to absolute paths, the security engineer explains.

This allows an attacker to craft a symbolic link leading to writing a malicious binary in a directory of their choosing, but only if 7-Zip runs with administrative privileges.

“This is because the 7-Zip process creates a symlink, which is a privileged operation on Windows. Hence the exploitation only makes sense when 7-Zip is used by a service account,” the engineer notes.

This article was published by Security Week. Please check their website for the original content.

Add new comment

About text formats

Plain text

  • No HTML tags allowed.
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.
CAPTCHA This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
1 + 14 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.

Share The Story


Stay informed - subscribe to our newsletter.
The subscriber's email address.

Recent Posts