Full Report
A recently disclosed security flaw impacting 7-Zip has come under active exploitation in the wild, according to an advisory issued by the U.K. NHS England Digital on Tuesday. The vulnerability in question is CVE-2025-11001 (CVSS score: 7.0), which allows remote attackers to execute arbitrary code. It has been addressed in 7-Zip version 25.00 released in July 2025. "The specific flaw exists
Analysis Summary
# Vulnerability: 7-Zip Remote Code Execution via Symbolic Link Handling
## CVE Details
- CVE ID: CVE-2025-11001
- CVSS Score: 7.0 (High)
- CWE: (Not explicitly stated in the snippet, likely related to Improper Input Validation or Path Traversal)
## Affected Systems
- Products: 7-Zip
- Versions: Versions prior to 25.00 (Version 21.02 is implicated as the introduction point for related flaws)
- Configurations: Exploitation specifically noted as viable only on Windows systems, when executed in the context of an elevated user/service account or on a machine with developer mode enabled.
## Vulnerability Description
The vulnerability resides in 7-Zip's handling of symbolic links within ZIP files. A specially crafted ZIP file can cause the 7-Zip process to traverse to unintended directories. An attacker can leverage this directory traversal flaw to achieve Remote Code Execution (RCE).
*Note: CVE-2025-11002, also fixed in 25.00, relates to a similar symbolic link issue in ZIP archives resulting in directory traversal.*
## Exploitation
- Status: **Exploited in the wild** (Observed by NHS England Digital)
- Complexity: Medium (Requires specific conditions like elevated context on Windows)
- Attack Vector: Remote (via prepared ZIP file)
## Impact
- Confidentiality: High (RCE context implies potential data exfiltration or access to sensitive information)
- Integrity: High (Ability to execute arbitrary code implies potential modification or destruction of data)
- Availability: High (RCE can lead to system compromise or denial of service)
## Remediation
### Patches
- 7-Zip version **25.00** (Released July 2025) completely addresses this flaw.
### Workarounds
- No specific workarounds are detailed in the provided text, but given the active exploitation, immediate patching is prioritized over workarounds. (Note: Restricting access to untrusted ZIP files is a general best practice.)
## Detection
- Indicators of compromise (IOCs) regarding specific exploitation methods are **not available** in this summary.
- Detection should focus on monitoring systems for unexpected code execution initiated via processes interacting with newly unarchived ZIP files from untrusted sources.
## References
- ZDI Advisory for CVE-2025-11001: hxxps://www.zerodayinitiative.com/advisories/ZDI-25-949/
- 7-Zip History/Release Notes: hxxps://www.7-zip.org/history.txt
- PoC Exploit Repository: hxxps://github.com/pacbypass/CVE-2025-11001
- NHS England Digital Advisory: hxxps://digital.nhs.uk/cyber-alerts/2025/cc-4719