Hackers Actively Exploiting 7-Zip RCE Vulnerability in the Wild

Hackers have begun actively exploiting a critical remote code execution (RCE) vulnerability in the popular file archiver 7-Zip, putting millions of users at risk of malware infection and system compromise.

The flaw, tracked as CVE-2025-11001, stems from improper handling of symbolic links in ZIP archives, allowing attackers to traverse directories and execute arbitrary code on vulnerable systems.

First disclosed in October 2025, this vulnerability has a CVSS v3 score of 7.0, highlighting its high severity due to the potential for widespread exploitation without requiring elevated privileges.​

7-Zip RCE Vulnerability Exploited

CVE-2025-11001 arises during the parsing of ZIP files containing crafted symbolic links, which trick 7-Zip into writing files outside the intended extraction directory.

This directory traversal can enable attackers to overwrite critical system files or inject malicious payloads, leading to full code execution in the context of the user or service account running the application.

Security researchers at Trend Micro’s Zero Day Initiative (ZDI) detailed how an attacker could leverage this to escape sandboxed environments, making it particularly dangerous for automated file processing in enterprise settings.​

The vulnerability was discovered by Ryota Shiga of GMO Flatt Security Inc., in collaboration with their AI-powered AppSec Auditor tool, and reported promptly to the 7-Zip developers.

A proof-of-concept (PoC) exploit has since been publicly released, demonstrating how a malicious ZIP file can abuse symbolic link handling to facilitate arbitrary file writes and, in certain scenarios, direct RCE.

This PoC has lowered the barrier for threat actors, accelerating real-world attacks observed in the wild. Notably, exploitation requires minimal user interaction; simply opening or extracting a booby-trapped archive suffices, a common vector in phishing campaigns and drive-by downloads.​

This issue is not isolated; 7-Zip version 25.00, released in July 2025, also patches a related flaw, CVE-2025-11002, which shares the same symbolic link mishandling root cause and carries an identical CVSS score of 7.0.

Both vulnerabilities were introduced in version 21.02, affecting all prior releases of the open-source tool used by over 100 million Windows users worldwide for compression tasks. Early indicators suggest attackers are targeting unpatched systems in sectors like healthcare and finance, where file handling is routine.​

The U.K.’s NHS England Digital issued an urgent advisory on November 18, 2025, confirming active exploitation of CVE-2025-11001, urging immediate updates to mitigate risks.

Threat actors could use this RCE to deploy ransomware, steal sensitive data, or establish persistent backdoors, amplifying the danger in supply chain attacks where compromised archives spread via email or shared drives.

Organizations relying on 7-Zip for bulk file operations face elevated threats, as automated extractions could silently propagate malware across networks.​

To counter this threat, users and organizations must update 7-Zip to version 25.00 or later, available from the official website, which enforces stricter path canonicalization to block traversal attempts.

The patch prevents symbolic links from escaping extraction boundaries, neutralizing both CVE-2025-11001 and CVE-2025-11002. Affected platforms include all Windows versions running 7-Zip prior to 25.00, with no reported impacts on Linux or macOS ports yet.​

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.