Critical 7-Zip Flaws Allow Remote Code Execution via Malicious ZIP Files

Two critical vulnerabilities discovered in the 7-Zip archiver allowed remote execution of arbitrary code when processing ZIP files. The flaws stemmed from how the program handled symbolic links within archives, enabling attackers to traverse outside permitted directories and overwrite or substitute system files.

The issues are tracked as CVE-2025-11002 and CVE-2025-11001. In both cases, an attacker could craft a specially structured ZIP archive containing links that point to external directories. When a vulnerable version of 7-Zip extracted such an archive, the program would follow the link and write data beyond the intended extraction folder. This behavior could be exploited to replace or insert malicious components into critical system locations.

A potential attack might unfold as follows: an archive includes a link targeting a malicious library within the system32 directory. If extracted by a process with administrative privileges, the library would be placed into the system folder and could be executed automatically—either via a scheduled task or upon loading a dependent module. No elevated privileges are required; user interaction with the malicious archive is sufficient to trigger the exploit.

According to security researchers, the threat poses particular danger to corporate environments where ZIP files are processed automatically—for instance, during backups, file exchanges, or software updates. In such contexts, arbitrary code injection could compromise an entire infrastructure.

The 7-Zip development team addressed the vulnerabilities in version 25.00. The update introduces strict path validation and blocks symbolic links that lead outside the extraction directory. The maintainers were notified on May 2, 2025; the fix was released on July 5, and public disclosure followed on October 7.

Experts recommend upgrading to the latest version and auditing systems that automatically extract archives. Signs of compromise may include the presence of unfamiliar libraries or executables in protected directories, or ZIP files containing suspiciously long or nested paths.

Timely software updates, careful review of operation logs, and robust content filtering for archives remain among the most reliable defenses against such attacks.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy