Two high-severity vulnerabilities have been discovered in the popular open-source file archiver, 7-Zip, which could allow remote attackers to execute arbitrary code.
Identified as CVE-2025-11001 and CVE-2025-11002, the flaws affect all versions of the software prior to the latest release and require immediate patching.
Flaw in Symbolic Link Processing
The core of both vulnerabilities lies within the way 7-Zip handles symbolic links embedded in ZIP archives. According to the advisory, a threat actor can create a malicious ZIP file containing crafted data that exploits this weakness.
When a user with a vulnerable version of 7-Zip attempts to decompress the archive, the flawed process can be manipulated to perform a directory traversal.
This allows the extraction process to write files outside of the intended destination folder, potentially placing malicious payloads in sensitive system locations.
While the attack is initiated remotely through the delivery of the malicious file, exploitation requires user interaction, as the victim must choose to open the archive. The specific attack vectors may vary depending on how 7-Zip is implemented within different environments.
Both CVE-2025-11001 and CVE-2025-11002 have been assigned a CVSS 3.0 score of 7.0, classifying them as high-severity threats.
A successful exploit could allow an attacker to execute arbitrary code on the affected system with the privileges of the service account or user running the 7-Zip application.
This could lead to a full system compromise, data theft, or the deployment of further malware such as ransomware.
The high complexity of the attack and the requirement for user interaction prevent the vulnerabilities from receiving a critical rating, but the potential impact on confidentiality, integrity, and availability remains significant given the widespread use of the 7-Zip utility.
| CVE ID | Affected Product | Vulnerability | CVSS 3.0 Score |
|---|---|---|---|
| CVE-2025-11002 | 7-Zip (versions before 25.00) | Arbitrary Code Execution via Symbolic Link Handling | 7.0 (High) |
| CVE-2025-11001 | 7-Zip (versions before 25.00) | Arbitrary Code Execution via Symbolic Link Handling | 7.0 (High) |
The developer of 7-Zip has released version 25.00, which rectifies these security flaws. All users are strongly advised to update their installations immediately to protect against potential exploitation.
The vulnerabilities were initially reported to the vendor on May 2, 2025, following a responsible disclosure timeline.
A coordinated public advisory was subsequently released on October 7, 2025, to inform the public of the risks and the available patch. These vulnerabilities were uncovered by security researcher Ryota Shiga of GMO Flatt Security Inc., working with takumi-san.ai.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
