7-Zip Weaknesses Permit Attackers to Remotely Run Any Code
The well-known open-source file archiver 7-Zip has been found to contain two high-severity flaws that might let remote attackers run arbitrary code.
The vulnerabilities, which have been identified as CVE-2025-11001 and CVE-2025-11002, impact all software versions before the most recent release and need to be patched right away.
Flaw in Symbolic Link Processing
The way 7-Zip manages symbolic links included in ZIP archives is at the heart of both vulnerabilities. The alert states that a threat actor can take advantage of this vulnerability by creating a malicious ZIP file with manipulated contents.
A directory traversal can be carried out by manipulating the faulty process when a user with a vulnerable version of 7-Zip tries to decompress the archive.
As a result, files outside of the designated destination folder may be written during the extraction process, possibly introducing dangerous payloads into sensitive system areas.
Although the infected file is delivered remotely to start the attack, the victim must choose to open the archive, necessitating user contact for exploitation. Depending on how 7-Zip is used in various contexts, the precise attack vectors might change.
With a CVSS 3.0 score of 7.0, CVE-2025-11001 and CVE-2025-11002 are both categorized as high-severity risks.
An attacker could utilize the privileges of the service account or user running the 7-Zip application to execute arbitrary code on the compromised machine if the exploit is successful.
This might result in data theft, a complete system breach, or the spread of other software, such as ransomware.
Given the extensive use of the 7-Zip application, the potential impact on confidentiality, integrity, and availability is still substantial, even though the vulnerabilities are not rated as serious due to the high complexity of the attack and the need for user intervention.
| CVE ID | Affected Product | Vulnerability | CVSS 3.0 Score |
| CVE-2025-11002 | 7-Zip (versions before 25.00) | Arbitrary Code Execution via Symbolic Link Handling | 7.0 (High) |
| CVE-2025-11001 | 7-Zip (versions before 25.00) | Arbitrary Code Execution via Symbolic Link Handling | 7.0 (High) |
Version 25.00, which addresses these security vulnerabilities, was issued by the 7-Zip developer. It is highly recommended that all users update their installations right away in order to guard against possible exploitation.
Following a responsible disclosure schedule, the vulnerabilities were first brought to the vendor’s attention on May 2, 2025.
On October 7, 2025, a synchronized public advisory was subsequently issued to educate the public about the risks and the patch that was available. Working with Takumi-san.ai, security researcher Ryota Shiga of GMO Flatt Security Inc. discovered these vulnerabilities.
About the Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.
Read More:
Latest ClayRat Spyware Attacked Android Users Via Fake WhatsApp and TikTok Apps
About Author
English