Critical 7-Zip Exploit Now Public: Immediate Patching Required

Since the disclosure of two critical vulnerabilities in 7-Zip, the situation has escalated sharply: functional proof-of-concept exploits are now publicly available that reproduce attacks by altering extraction paths and injecting arbitrary files. This elevates the threat from theoretical to tangible—particularly in corporate environments where archives are processed automatically—because it now represents a confirmed path to code execution on Windows systems.

Both flaws—CVE-2025-11001 and CVE-2025-11002—stem from improper handling of symbolic links during ZIP extraction. The application converts Linux-style symlinks into Windows paths without verifying whether they escape the intended extraction directory. An attacker can therefore redirect extraction to arbitrary locations, including system folders. In a demo, a symlink pointed to the Desktop, after which an executable was extracted into that folder; if the user launches it, arbitrary code runs.

The vulnerabilities affect 7-Zip versions from 21.02 through 24.09. Analysts traced the defect to logic within ArchiveExtractCallback.cpp, specifically the IsSafePath routine and CLinkLevelsInfo::Parse. The bypass works even when a path superficially appears relative but in practice resolves outside the target folder. Release 25.00 patches these issues by adding additional checks, introducing support for an isWSL flag, and refining absolute-path handling.

The danger is compounded by a PoC exploit published under the pseudonym pacbypass, which demonstrates targeted file injection. The technique does not require mass infection; it can be weaponized against a specific administrator account or a device running in developer mode. Although the exploit operates only on Windows—the primary platform for 7-Zip users—that makes the risk all the more acute.

Developers have closed both vectors in 25.00, mitigating direct bypasses and exploitation via UNC paths that endanger network shares. Nonetheless, the emergence of public PoCs raises the specter that these methods will be folded into more complex attack chains, especially phishing campaigns or the use of malicious archives for initial access.

Users are urged to update 7-Zip to the latest release, disable symlink support where feasible, and scrutinize extraction destinations and write operations to sensitive directories. This episode underscores how even subtle lapses in archive-processing logic can produce severe, real-world consequences.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy