Two critical vulnerabilities in 7-Zip’s handling of ZIP archives have emerged, enabling remote attackers to execute arbitrary code by exploiting directory traversal flaws.
Both issues stem from improper processing of symbolic links within ZIP files, allowing crafted archives to force traversal to unintended locations and ultimately run code under the context of vulnerable services.
Directory Traversal Leads to Code Execution
Security researchers disclosed two related vulnerabilities, tracked as CVE-2025-11002 (ZDI-25-950, ZDI-CAN-26743) and CVE-2025-11001 (ZDI-25-949, ZDI-CAN-26753).
In both cases, an attacker must supply a malicious ZIP file containing symbolic link entries that bypass the installer’s intended directory boundaries.
| CVE ID | CVSS Score | Affected Vendors | Affected Products |
| CVE-2025-11002 | 7.0, AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H | 7-Zip | 7-Zip |
| CVE-2025-11001 | 7.0, AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H | 7-Zip | 7-Zip |
When 7-Zip processes such archives, it inadvertently follows links into directories outside the extraction path.
This flaw can be leveraged to overwrite arbitrary files or place malicious payloads in sensitive locations, which can then be executed by interacting services or scheduled tasks.
Exploitation requires no user privileges and only minimal interaction, such as opening or extracting the archive in a compromised environment.
Proof-of-Concept and Exploit Scenarios
A proof-of-concept demonstrates creating a ZIP archive with a symbolic link entry named, for example, ../../../../windows/system32/malicious.dll pointing to an attacker-controlled file.
Upon extraction by a service running under the SYSTEM account, the DLL is placed in the System32 directory.
A subsequent request to load that library such as via a plugin or scheduled task results in arbitrary code execution with elevated privileges.
Security teams should audit systems that automatically process ZIP files, especially in enterprise file-sharing and automated backup solutions.
Implementing strict directory sanitization or disabling automatic extraction in untrusted contexts can mitigate exploitation prior to patch deployment.
7-Zip version 25.00 addresses both vulnerabilities by enforcing safe path canonicalization and blocking symbolic links that escape the intended extraction directory.
Administrators are urged to upgrade immediately. The vulnerabilities were reported to the vendor on 2025-05-02, with a coordinated public advisory released and updated on 2025-10-07.
Indicators of compromise (IoCs) include unexpected presence of DLLs or executables in protected directories following archive extraction and suspicious ZIP entries containing excessive path traversal sequences.
Organizations relying on automated ZIP extraction should review logs for anomalous directory traversal patterns and deploy the patched 7-Zip 25.00 promptly to prevent potential compromise.
Continuous monitoring of file-handling services and enforcing strict input validation remain essential defenses against similar ZIP-based attacks.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
