Redazione RHC : 10 October 2025 15:52
Two critical vulnerabilities in the 7-Zip archiver allowed remote code execution when processing ZIP files. The flaws affect how the program handles symbolic links within archives, allowing directory traversal and system file replacement.
The issues are tracked under the identifiers CVE-2025-11002 and CVE-2025-11001. In both cases, an attacker simply needs to prepare a ZIP archive with a special structure, including links to external directories .
When a vulnerable version of 7-Zip unpacks such an archive, the program follows the link and extracts the contents beyond the target folder. This allows malicious components to be replaced or injected into critical areas of the system.
A potential attack might look like this: an archive is created containing an item that references, for example, a malicious library in the system32 directory. If such a file is unpacked by a process with administrator privileges, the library is placed in the system directory and can be started automatically, via a scheduler, or when a required module is loaded. Exploitation does not require elevated privileges; user interaction with the malicious archive is sufficient.
According to the research team, the threat is particularly dangerous for enterprise systems where ZIP files are processed automatically, such as during backups, file sharing, or installing updates. In such scenarios, arbitrary code injection could compromise the entire infrastructure.
7-Zip developers fixed the vulnerabilities in version 25.00. The update implements strict path checking and blocks symbolic links that extend beyond the extraction directory. The authors of the issue were notified on May 2, 2025, with a fix released on July 5 and a public announcement on October 7.
Experts recommend installing the latest version of the program and checking systems that automatically unpack archives. Signs of a hack may include the presence of unknown libraries or executable files in protected directories and the presence of ZIP files with suspiciously long paths.
Keeping software up to date, checking transaction logs, and filtering archive contents remain reliable defenses against such attacks.