Two newly disclosed vulnerabilities in 7-Zip could allow attackers to execute arbitrary code by tricking users into opening a malicious ZIP archive. The issues, reported October 7 by Trend Micro’s Zero Day Initiative (ZDI), affect multiple builds of the popular open-source compression tool and were quietly fixed in July.
Tracked as CVE-2025-11001 and CVE-2025-11002, the flaws stem from how 7-Zip parses symbolic links within ZIP files. In essence, a crafted archive can escape its intended extraction directory and write files to other locations on the system. When chained, this can escalate to full code execution under the same privileges as the user, which is enough to compromise a Windows environment. Both vulnerabilities carry a CVSS base score of 7.0.
According to ZDI’s advisory, exploitation requires user interaction, but that bar is low; simply opening or extracting a malicious archive is sufficient. From there, the symlink traversal flaw can overwrite or plant payloads in sensitive paths, allowing the attacker to hijack execution flow. ZDI categorizes both bugs as directory traversal leading to remote code execution in a service account context.
7-Zip’s developer, Igor Pavlov, released version 25.00 on July 5, which patched the vulnerabilities alongside several smaller issues in RAR and COM archive handling—the current stable build, 25.01, followed in August. However, public disclosure of the security details didn’t occur until this week when ZDI’s advisories went live. That means users who haven’t updated since early summer have remained vulnerable for months without being aware of it.
The lack of an automatic update mechanism compounds issues like this. 7-Zip must be updated manually, and many users rely on older portable versions. Even in enterprise settings, it often escapes patch management systems because it isn’t installed via Windows Installer or a central repository.
Earlier this year, CVE-2025-0411 made headlines for allowing attackers to bypass Windows’ Mark-of-the-Web protections by nesting malicious ZIPs, effectively stripping downloaded files of their “from the internet” warning flags. That flaw was addressed in version 24.09.
To stay protected, download 7-Zip version 25.01 or newer directly from the project’s official site. The installer will upgrade your existing setup without affecting preferences. Until you update, avoid extracting archives from unverified sources.
Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.
