A critical remote code execution vulnerability in the widely-used 7-Zip file compression utility, identified as CVE-2025-11001, is now being actively exploited in the wild. The advisory, issued by U.K. NHS England Digital, highlights the immediate threat posed by this flaw, which could allow attackers to compromise systems running vulnerable versions of the software. The vulnerability has been patched in 7-Zip version 25.00, released in July 2025.
The specific security loophole stems from the improper handling of symbolic links within ZIP files. According to Trend Micro’s Zero Day Initiative (ZDI), specially crafted data embedded in a ZIP archive can trick the 7-Zip process into traversing to unintended directories. This directory traversal capability enables remote attackers to execute arbitrary code with the privileges of a service account, significantly escalating the potential impact of a successful exploit. Ryota Shiga of GMO Flatt Security Inc., in collaboration with the company’s AI-powered AppSec Auditor Takumi, is credited with the discovery and reporting of this significant vulnerability.
7-Zip Vulnerability Linked to Exploitation
The active exploitation of CVE-2025-11001 is a serious concern, especially given the widespread adoption of 7-Zip for file compression and archiving. While NHS England Digital confirmed the in-the-wild exploitation, specific details regarding the methods used, the actors involved, and the precise contexts of these attacks remain undisclosed. The existence of proof-of-concept (PoC) exploits, released by security researcher Dominik (aka pacbypass), further underscores the urgency for users to implement the necessary security updates. These PoCs demonstrate the feasibility of exploiting the vulnerability, making it a prime target for malicious actors seeking easy entry points into target systems.
It is important to note that the same update, 7-Zip version 25.00, also addresses another remote code execution vulnerability, CVE-2025-11002. This secondary flaw (also with a CVSS score of 7.0) shares a similar root cause: improper handling of symbolic links in ZIP archives leading to directory traversal. Both vulnerabilities were introduced in version 21.02 of 7-Zip, meaning that systems that have not been updated beyond this version are potentially susceptible to both threats.
Exploitation Context and Platform Limitations
While the threat is significant, there are specific conditions that attackers must meet to successfully exploit this particular 7-Zip vulnerability on Windows systems. According to Dominik, exploitation is only possible from the context of an elevated user or a service account, or on a machine where developer mode has been enabled. This limitation might restrict the broad applicability of the exploit in some scenarios, but it does not diminish the severity for organizations or individuals operating with such elevated privileges or configurations. The reliance on Windows as the targeted platform further defines the scope of this specific threat.
The implications of an active exploitation campaign for a file compression utility like 7-Zip are far-reaching. Compromise through this vulnerability could lead to data theft, installation of further malware, or complete system takeover. Given the potential for widespread impact, it is imperative for all users of 7-Zip to prioritize applying the latest security patch. The ongoing threat intelligence surrounding 7-Zip vulnerability exploitation will be crucial in understanding the evolving tactics and targets of attackers. Users should continue to monitor security advisories and ensure their software is always up-to-date to mitigate risks.
The next expected step for users is to ensure they have upgraded their 7-Zip installations to version 25.00 or later. Without further information from threat intelligence sources, the full extent of the exploitation campaign and the specific targets remain uncertain. Organizations relying on 7-Zip should remain vigilant and consider implementing additional security measures, such as network segmentation and intrusion detection systems, to further enhance their defense posture against such vulnerabilities.