Critical 7 Zip Vulnerability With Public Exploit Requires Manual Update
Summary:
Researchers have discovered a critical Directory Traversal Remote Code Execution (RCE) vulnerability (tracked as CVE-2025-11001) affecting older versions of the popular, free file-compressing tool, 7-Zip, specifically on Windows systems.
The flaw is related to how 7-Zip handles symbolic links within ZIP files. An attacker can craft a malicious ZIP archive that, upon extraction, tricks the program into traversing (moving) to unauthorized system directories. This allows the attacker to execute arbitrary code or run unwanted programs.
The vulnerability has a CVSS score of 7.0 (High) and requires user interaction, the target must open or extract the malicious ZIP file. A public Proof-of-Concept (PoC) exploit is available, which significantly elevates the risk of widespread and rapid attacks.
Security Officer Comments:
While the vulnerability does require a user to open the archive directly, a successful attack could have severe impacts. A successful attack can allow code execution using a highly privileged account. This potential for privilege escalation makes a full system takeover a severe possibility.
7-Zip is a widely used open source tool used across personal and enterprise systems. Along with it’s popularity, patching this latest vulnerability will require manual user interaction. This manual patching requirement will likely lead to a larger volume of unpatched installations, and will slow user updates to the latest patch. The public release of a working PoC exploit provides cybercriminals with a ready-to-use blueprint, which will compound exploitation attempts against unpatched users.
Suggested Corrections:
The most crucial step is immediate, manual updating of the 7-Zip application, as it cannot update itself automatically.
- Identify Vulnerable Systems: Check all Windows machines for 7-Zip installations older than version 25.00.
- Update Manually: Users must promptly install the latest secure version. The issue was fixed in version 25.00 (released July 2025), but users should update to the current version, 25.01 (or any newer version).
- Link(s): Download the latest software from the official 7-Zip download page.
- Enterprise Management: Organizations must use existing enterprise tools, scripts, or deployment systems to manage and push the necessary update across all endpoints, bypassing the tool's lack of a self-update feature.