Redazione RHC : 18 October 2025 15:16
A proof-of-concept exploit has been developed for two critical vulnerabilities in the popular 7-Zip archiving software. These vulnerabilities could be exploited by attackers to remotely execute arbitrary code by sending malicious ZIP files.
Their CVSS v3.0 score is 7.0 for both, a rating that underscores the significant impact they can have, beyond the first impression of a less serious threat.
The flaws, identified as CVE-2025-11001 and CVE-2025-11002, were disclosed by the Zero Day Initiative (ZDI) on October 7, 2025 , and result from improper handling of symbolic links during ZIP extraction on Windows systems.
These issues affect 7-Zip versions 21.02 through 24.09, where flaws in the symbolic link conversion process allow path traversal attacks. Discovered by Ryota Shiga of GMO Flatt Security Inc., the vulnerabilities exploit the way 7-Zip processes Linux-style symbolic links, converting them to Windows equivalents without adequate security measures.
In a detailed analysis shared by security expert pacbypass , the bugs occur in the ArchiveExtractCallback.cpp module, specifically in functions like IsSafePath and CLinkLevelsInfo::Parse.
Subsequently, a check in CloseReparseAndFile omits the detailed directory examination for variables that do not represent a path, allowing the symlink to be directed randomly. With version 25.00, patches were applied, adding a new overload for IsSafePath , complete with a flag called isWSL and more precise parsing to precisely identify absolute paths, thus addressing these issues.
The main issue lies in 7-Zip’s extraction logic, which fails to properly validate symbolic link targets. When extracting a ZIP file containing a Linux symbolic link pointing to a Windows absolute path like C:Users, the software incorrectly classifies it as relative due to a faulty absolute path check, specific to Linux or WSL environments.
The PoC, available in the pacbypass GitHub repository, demonstrates this by unpacking a directory structure that dereferences the symlink, allowing arbitrary file writes.
However, exploitation requires elevated privileges, developer mode, or an elevated service context, making it limited to targeted attacks rather than large-scale phishing. It only works on Windows, ignoring Linux or macOS.
Users should immediately update to 7-Zip 25.00, as it comprehensively addresses these issues. Disabling support for symbolic links when extracting or scanning archives with antivirus tools can reduce exposure. These vulnerabilities highlight persistent risks in archive managers, recalling previous 7-Zip flaws such as directory traversal.
Redazione