A recently disclosed security flaw impacting 7-Zip now sees active exploitation in the wild, according to an advisory issued by the U.K. NHS England Digital on Tuesday.
The vulnerability in question is CVE-2025-11001 (CVSS score: 7.0), which allows remote attackers to execute arbitrary code. Moreover, 7-Zip version 25.00, released in July 2025, directly addresses this issue.
“The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories,” Trend Micro’s Zero Day Initiative (ZDI) said in an alert released last month. “An attacker can leverage this vulnerability to execute code in the context of a service account.”
Ryota Shiga of GMO Flatt Security Inc., along with the company’s artificial intelligence (AI)-powered AppSec Auditor Takumi, discovered and reported the vulnerability.
It’s worth noting that 7-Zip 25.00 also resolves another flaw, CVE-2025-11002 (CVSS score: 7.0), that allows for remote code execution by taking advantage of improper handling of symbolic links within ZIP archives, resulting in directory traversal. Both Shortcomings originated in version 21.02.
“Active exploitation of CVE-2025-11001 has been observed in the wild,” NHS England Digital said. However, no one currently knows how threat actors Weaponize it, who uses it, or in what context they employ it.
Given that Proof-of-concept (PoC) exploits exist, 7-Zip users must move quickly to apply the necessary fixes as soon as possible, if not already, to ensure optimal protection.
“This vulnerability can only be exploited from the context of an elevated user / service account or a machine with developer mode enabled,” security researcher Dominik (aka pacbypass), who released the PoC, said in a post detailing the flaw. “This vulnerability can only be exploited on Windows.”
Source: TheHackerNews
Read more at Impreza News
