Imagine a hacker taking complete control of your computer just by you opening a ZIP file! That's the chilling reality of two newly discovered vulnerabilities in 7-Zip, the popular file archiving tool. These flaws could allow attackers to remotely execute malicious code on your system by exploiting weaknesses in how 7-Zip handles ZIP archives. In essence, a carefully crafted ZIP file could become a weapon, turning your trusted file extractor against you.
The core issue revolves around 'directory traversal,' a technique where attackers trick software into accessing files and folders it shouldn't. Think of it like giving someone a map to your house but secretly altering it to lead them to your neighbor's bank vault. In this case, the vulnerabilities (CVE-2025-11002 and CVE-2025-11001) arise from 7-Zip's improper handling of symbolic links within ZIP files. Symbolic links are essentially shortcuts, but in the wrong hands, they can be manipulated to point to sensitive areas of your system.
Security researchers at Zero Day Initiative uncovered these related vulnerabilities (tracked as CVE-2025-11002 (ZDI-25-950, ZDI-CAN-26743) and CVE-2025-11001 (ZDI-25-949, ZDI-CAN-26753)). To exploit them, an attacker crafts a malicious ZIP file containing symbolic link entries that cleverly bypass the intended directory boundaries set by the installer. This is where the directory traversal comes into play – the symbolic links act as misleading signposts, guiding 7-Zip to locations it shouldn't access.
| CVE ID | CVSS Score | Affected Vendors | Affected Products |
| :------------------------------------------------------------------------------------------------------- | :--------- | :----------------- | :------------------ |
| CVE-2025-11002 (https://www.cve.org/CVERecord?id=CVE-2025-11002) | 7.0 | 7-Zip | 7-Zip |
| CVE-2025-11001 (https://www.cve.org/CVERecord?id=CVE-2025-11001) | 7.0 | 7-Zip | 7-Zip |
When 7-Zip processes these carefully crafted archives, it unwittingly follows the deceptive symbolic links into directories outside the intended extraction path. And this is the part most people miss: This isn't just about reading sensitive files; it's about overwriting them or placing malicious files in critical system locations. Think of it as a Trojan Horse hidden inside a seemingly harmless ZIP archive.
This flaw can be exploited to overwrite arbitrary files or place malicious payloads in sensitive locations, which can then be executed by other services or scheduled tasks. The kicker is that exploitation requires no special user privileges and only minimal user interaction – simply opening or extracting the malicious archive is enough in a compromised environment. But here's where it gets controversial... Some argue that requiring user interaction makes this less critical. Others say that social engineering can easily trick users into opening malicious files, making the risk very real.
For example, a proof-of-concept (PoC) demonstrates creating a ZIP archive with a symbolic link entry named ../../../../windows/system32/malicious.dll pointing to a file controlled by the attacker. If a service running with high privileges (like the 'SYSTEM' account) extracts this archive, the malicious DLL is placed directly into the System32 directory, a critical system folder. A subsequent request to load that library – perhaps via a plugin or a scheduled task – results in the attacker's code being executed with elevated privileges, giving them virtually complete control over the system.
Security teams should immediately audit systems that automatically process ZIP files, especially in enterprise file-sharing platforms and automated backup solutions. Consider implementing strict directory sanitization or disabling automatic extraction in untrusted contexts as temporary mitigation measures until you can deploy the patch.
7-Zip version 25.00 addresses both vulnerabilities by enforcing stricter path validation and preventing symbolic links from escaping the intended extraction directory. Administrators are strongly urged to upgrade to this version immediately. The vulnerabilities were responsibly reported to the vendor on 2025-05-02, with a coordinated public advisory released and updated on 2025-10-07.
Indicators of compromise (IoCs) to watch out for include the unexpected presence of DLLs or executables in protected directories after archive extraction, and suspicious ZIP entries containing excessive path traversal sequences (like multiple ../ sequences). Organizations heavily reliant on automated ZIP extraction should carefully review logs for anomalous directory traversal patterns and prioritize deploying the patched 7-Zip 25.00 to prevent potential compromise.
Continuous monitoring of file-handling services and enforcing strict input validation are essential defenses against similar ZIP-based attacks. Think of it as building a robust firewall around your file handling processes.
What are your thoughts on the responsibility of software vendors to proactively identify and address these types of vulnerabilities? Do you believe that end-users should bear more of the burden in protecting themselves from these threats? Share your opinions in the comments below!
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google (https://www.google.com/preferences/source?q=https://gbhackers.com/).
Divya (https://gbhackers.com/author/divya/)
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.
