Critical vulnerability found in 7-Zip archiving tool

A critical remote code execution (RCE) vulnerability, tracked as CVE-2025-11001 (CVSS 7.0), was disclosed in the popular open-source 7-Zip archiving tool, affecting all versions before 25.00 released in July 2025. The flaw stems from improper handling of symbolic links in ZIP archives, enabling attackers to craft malicious files that allow directory traversal outside the intended extraction folder. When a user extracts such a ZIP, the tool resolves the symlink, writing arbitrary files including executables to sensitive system locations like C:\Windows\System32, potentially executing code under the user’s or service account privileges.
​NHS England issued an urgent alert on active exploitation in the wild, noting a public proof-of-concept (PoC) exploit released by researcher Dominik (pacbypass), which demonstrates RCE via symlink abuse on Windows systems with elevated privileges or developer mode. A related flaw, CVE-2025-11002 (also CVSS 7.0), shares the same root cause and was patched simultaneously. Discovered by Ryota Shiga of GMO Flatt Security and reported via Trend Micro’s Zero Day Initiative, the vulnerabilities require user interaction but pose high risk in automated or privileged extraction scenarios.
​No automatic updates exist for 7-Zip, so manual upgrades to version 25.00 or later are essential, alongside disabling symlink following where possible. Threat actors could leverage this for ransomware deployment, data theft, or persistence in enterprise environments handling untrusted archives. Organizations using 7-Zip in pipelines face elevated supply chain risks.