NHS England Digital, the technology arm of the publicly-funded health service for England, has issued a warning about a 7-Zip vulnerability (CVE-2025-11001) being exploited by attackers.
“Active exploitation of CVE-2025-11001 has been observed in the wild,” the alert says, though it does not say who detected the attacks or whether they might be targeted or widespread.
CVE-2025-11001 and CVE-2025-11002
Introduced in 7-Zip v21.02, CVE-2025-11001 and CVE-2025-11002 are two path/directory traversal flaws that have been fixed in 7-Zip v25.00, released in July 2025.
The vulnerabilities were publicly revealed via Zero Day Initiative advisories on October 7, 2025, and credited to Ryota Shiga of GMO Flatt Security, who discovered them by using the company’s AI-powered application security auditor (Takumi).
“The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of a service account,” both advisories note.
Another security researcher who goes by “PacBypass” analyzed the code differences between 7-Zip v24.09 and v25.00 and, ten days later, published a technical write-up about CVE-2025-11001 and a proof-of-concept exploit for it.
CVE-2025-11001 is only exploitable on Windows and only from the context of an elevated user/service account or a Windows machine with Developer Mode enabled, PacBypass noted.
“This is because it the 7-Zip process creates a symlink, which is a privileged operation on Windows. Hence the exploitation only makes sense when 7-Zip is used by a service account,” he explained.
Pre-empt attackers by updating 7-Zip
In August 2025, a third researcher revealed an arbitrary file write vulnerability (CVE-2025-55188) caused by 7-Zip’s improper handling of symbolic links, which may lead to code execution when the user extracts a maliciously crafted archive with 7-Zip.
CVE-2025-55188 was fixed in 7-Zip v25.01. “The code for handling symbolic links has been changed to provide greater security when extracting files from archives,” 7-Zip creator and maintainer Igor Pavlov noted at the time.
7-Zip users have been urged to upgrade to the latest available version as soon as possible, since the software does not have an auto-update feature.
Help Net Security has reached out to NHS England Digital for additional information about the attacks, and we’ll update this article when we hear back from them.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
