Malicious Actors Exploit RCE Vulnerability in 7-Zip

NHS England Digital is warning about active exploitation of vulnerability CVE-2025-11001 in the 7-Zip archiver. Users are urged to update to version 25.00, released in July 2025.

Vulnerability Details

CVE-2025-11001 (CVSS score: 7.0) involves improper handling of symbolic links in ZIP files. A specially crafted archive can force the process to access unintended directories, allowing an attacker to execute arbitrary code within the context of the user account.

The issue was fixed in 7-Zip version 25.00, released in July 2025. Notably, another similar vulnerability—CVE-2025-11002 (also CVSS score: 7.0)—was patched in the same version. This second flaw also relates to symbolic link handling and permits remote code execution. Both vulnerabilities were introduced after the release of version 21.02.

Exploitation Requirements

Per a security researcher known as pacbypass, who published a proof-of-concept exploit for CVE-2025-11001, the vulnerability only works on Windows and requires specific conditions for successful exploitation:

• A privileged user or service account, or
• A machine with developer mode enabled

Active Exploitation Confirmed

This week, experts from NHS England Digital warned about active exploitation of CVE-2025-11001 in real-world attacks. However, details remain scarce—it is unknown who is behind these attacks, who the targets are, or exactly how the vulnerability is being exploited.

Recommendations

Given the availability of public exploits and confirmed attacks, 7-Zip users should update to version 25.00 immediately. It is worth noting that 7-Zip does not have a built-in automatic update mechanism, so the new version must be downloaded and installed manually.