A critical remote code execution vulnerability identified as CVE-2025-11001 in the widely-used 7-Zip software is currently being exploited in live attacks, according to a warning from NHS England. With a CVSS score of 7.0, this flaw allows remote attackers to execute arbitrary code on installations of 7-Zip that have not been updated.
The advisory indicates that the exploitation of CVE-2025-11001 has already been detected in the wild. Moreover, a security researcher has made a proof-of-concept (PoC) exploit publicly available, which utilizes vulnerable symbolic link handling in ZIP files. This allows attackers to create malicious ZIP symlinks capable of escaping designated folders and executing code with the permissions of the service account.
The vulnerability stems from improper handling of symbolic links within ZIP archives. Crafted data can lure the extraction process into traversing unintended directories, enabling attackers to run code in the context of the service account. The research into this vulnerability was conducted by experts Ryota Shiga from GMO Flatt Security Inc. and the security team at takumi-san.ai.
A patch to address this issue was included in version 25.00 of 7-Zip, which was released in July 2025. It is crucial for users of 7-Zip to upgrade their software immediately, especially considering the availability of PoC exploits that could facilitate targeted attacks.
Security researcher Dominik, known as pacbypass, noted that this vulnerability can be exploited only by users with elevated privileges or on machines running in developer mode, and that it is limited to Windows operating systems.
As cyber threats continue to evolve, this serves as a stark reminder for software users to maintain diligent security practices, including regular updates to safeguard against vulnerabilities.