Redazione RHC : 20 November 2025 08:02
Millions of users are exposed to the risk of malware infections and system compromise due to hackers’ active exploitation of a critical remote code execution (RCE) vulnerability in the popular 7-Zip archiving software.
Disclosed in October 2025, this vulnerability has a CVSS v3 score of 7.0, and shows a severity of local exploitation, but at a large scale without requiring elevated privileges.
Specifically, CVE-2025-11001 is a security flaw involving the improper handling of symbolic links within ZIP archives. This allows attackers to execute arbitrary code on vulnerable systems by navigating through directories.
On November 18, 2025, the UK’s NHS England Digital issued an urgent advisory, confirming active exploitation of the CVE-2025-11001 bug and urging immediate updates to mitigate the risks.
The vulnerability was discovered by Ryota Shiga of GMO Flatt Security Inc. , working with their AI-based AppSec Auditor tool, and promptly reported to the 7-Zip developers.
Security experts at Trend Micro’s Zero Day Initiative (ZDI) have disclosed details on how an attacker could use this vulnerability to circumvent the restrictions of sandbox environments, significantly increasing the risk, especially in the context of automated file processing in enterprises.
This patch traversal could allow attackers to overwrite critical system files or inject malicious payloads , leading to full code execution in the context of the user or service account running the application.
A proof-of-concept (PoC) exploit has also been made public, demonstrating how a malicious ZIP file can abuse symbolic link handling to facilitate arbitrary file writes and, in certain scenarios, target the RCE.
The recent PoC has lowered the threshold for attackers, thus increasing the number of actual attacks detected. Suffice it to say that exploiting the vulnerability requires minimal user interaction: simply opening or extracting a malicious archive is enough to trigger the attack , a mechanism often exploited in phishing and drive-by downloads.
Threat actors could use this RCE to distribute ransomware, steal sensitive data, or create persistent backdoors, amplifying the threat in supply chain attacks where compromised archives spread via email or shared drives.
To avoid this risk, users and organizations should update 7-Zip to version 25.00 or higher, available on the official website, which uses more stringent path canonization to prevent traversal attempts.
The new patch fixes two bugs, both CVE-2025-11001 and CVE-2025-11002. All editions of Windows that have 7-Zip installed prior to version 25.00 are affected, while no impacts have been reported on Linux or macOS.
Redazione