SOC Advisory – 7-Zip Critical RCE Vulnerabilities – 22 October 2025

Overview

CVE: CVE-2025-11001, CVE-2025-11002
Severity: Critical
Date: 22 October 2025

Two critical vulnerabilities have been discovered and patched in the 7-Zip file archiver. These flaws (CVE-2025-11001, CVE-2025-11002) allow for remote code execution (RCE) when a user opens or extracts a maliciously crafted archive file.

The vulnerabilities stem from improper handling of symbolic links, leading to a directory traversal weakness. Successful exploitation could allow an attacker to achieve complete system compromise, leading to data theft or the deployment of ransomware. The cumulative risk threatens any system where users or automated processes handle archive files from untrusted sources.

Affected Versions

• 7-Zip: All versions of 7-Zip prior to version 25.00 are affected.
• Unsupported product versions should be considered vulnerable.

Vulnerability Breakdown

CVE-2025-11001 — 7-Zip Directory Traversal RCE

• Type: Remote Code Execution
• CVSS Score: 9.8 (Critical)
• Impact: RCE on the affected system, allowing for arbitrary file writes and potential system compromise.
• Exploitation Vector: An attacker crafts a ZIP file containing a symbolic link entry that points outside of the target extraction directory. When a user extracts the archive, a malicious payload can be written to a critical system location.
• Conditions Required: Requires a user to open or extract a malicious archive file.

CVE-2025-11002 — 7-Zip Symbolic Link Parsing RCE

• Type: Remote Code Execution
• CVSS Score: 9.8 (Critical)
• Impact: RCE on the affected system.
• Exploitation Vector: Similar to the above, this vulnerability is triggered by parsing a malicious archive that exploits improper symbolic link handling to escape the intended extraction directory and execute code.
• Conditions Required: Requires minimal user interaction (opening a crafted archive).

Mitigation

• Upgrade to the patched version immediately. Attackers can easily craft exploits for these vulnerabilities.
  • For 7-Zip, upgrade to version 25.00 or newer.
• Audit automated processes: Scrutinise any systems that automatically extract archives, such as in enterprise file-sharing or backup solutions.
• Implement input sanitisation: Where possible, implement strict directory sanitisation or disable automatic extraction of archives originating from untrusted contexts.
• Monitor for suspicious activity: Monitor for anomalous directory traversal patterns in logs and unexpected file modifications in critical system locations.

Summary for IT Teams

• Product: 7-Zip
• Threat Level: Critical
• Action Required:
  1. Patch all affected systems immediately. Prioritise systems used by privileged users and automated processing servers.
  2. Identify all installations of 7-Zip and upgrade to version 25.00 or newer.
  3. Review server configurations and disable automatic archive extraction where not essential.
  4. Educate users about the risks of opening or extracting archive files from untrusted sources, such as email attachments or internet downloads.

Reference

• SOC Prime

Need Help?

If your organisation requires assistance identifying affected systems, applying updates or adjusting controller configurations, our team is here to help. Email us via soc@secure-iss.com for assistance.