7-Zip: Attackers Inject Malicious Code

The popular archiving tool 7-Zip is being targeted by attackers exploiting a vulnerability that allows for the injection and execution of malicious code with elevated privileges. Updates to patch this security flaw have been available for some time.

The UK's National Health Service (National Health Service, NHS) is now warning of observed attacks targeting the security vulnerability CVE-2025-11001 warns the National Health Service (NHS). "Active attacks on CVE-2025-11001 have been observed in the wild. A security researcher has also published a proof-of-concept (PoC) exploit for CVE-2025-11001. The PoC allows attackers to abuse symbolic link handling to write files outside of the intended extraction directory, which in some scenarios enables arbitrary code execution." However, the NHS does not provide further details on the attacks.

More Detailed Vulnerability Description

Trend Micro's Zero Day Initiative (ZDI) initially provided a very brief explanation of the vulnerability. The later published CVE entry provides offers more information, and these details are now also available from ZDI. According to this, 7-Zip can falter when processing archives, allowing attackers to exploit "Path Traversal" -- that is, traversing directories with instructions like "../" to access parent directories. The handling of symbolic links in 7-Zip prior to version 25.00 was flawed. This allowed manipulated archives to inject code, for example, by overwriting service files and then executing them with their privileges. User interaction is required, as an archive must be extracted (CVE-2025-11001, CVSS 7.0, Risk "high").

This is a security vulnerability that the developer already addressed in version 25.00 of 7-Zip has. However, since 7-Zip does not have an integrated update mechanism, users must take action themselves and update the software to the latest version. They should definitely download the current version from the 7-Zip download page and replace the previously installed version.

(dmk)