Skip to content
Contact us

Critical 7-Zip Symlink Vulnerabilities Enable Path Traversal and Remote Code Execution

Picture of The 1898 & Co. Team

Two critical vulnerabilities have been identified in the widely used file archiver 7-Zip, potentially allowing attackers to execute arbitrary code on Windows systems through specially crafted ZIP files. Disclosed by the Zero Day Initiative (ZDI) on October 7, 2025, and tracked as CVE-2025-11001 and CVE-2025-11002, these flaws stem from improper handling of symbolic links (symlinks) during ZIP extraction. The vulnerabilities affect 7-Zip versions 21.02 through 24.09 and have been addressed in version 25.00.

The core issue lies in how 7-Zip processes Linux-style symlinks, converting them to Windows equivalents without sufficient validation. This oversight enables attackers to craft ZIP archives that, when extracted, can redirect file writes to sensitive locations outside the intended extraction directory. The vulnerabilities are particularly concerning given the public availability of a proof-of-concept (PoC) exploit, which demonstrates how a malicious archive can be used to write files to critical system directories.

While exploitation requires elevated privileges or developer mode on Windows, the risk is heightened for organizations that use 7-Zip for automated or bulk extractions, especially in environments where users may have administrative access. The vulnerabilities do not affect Linux or macOS systems but pose a significant threat to Windows-based workflows.

With the PoC now public, there is an increased likelihood that threat actors will attempt to weaponize these flaws in targeted attacks or phishing campaigns. Organizations are urged to update to the latest version of 7-Zip and review their use of archive extraction tools to mitigate potential risks.

Threats and Vulnerabilities

CVE-2025-11001 and CVE-2025-11002 are both rated with a CVSS v3.0 score of 7.0, reflecting their potential for significant impact. The vulnerabilities arise from flaws in the symlink conversion and validation process within 7-Zip’s ArchiveExtractCallback.cpp module. Specifically, the IsSafePath and CLinkLevelsInfo::Parse functions fail to properly validate symlink targets, allowing path traversal attacks that can write files outside the intended extraction directory.

Attackers can exploit these flaws by creating ZIP archives containing symlinks that point to absolute Windows paths, such as C:\Users\[Username]\Desktop. When such an archive is extracted, 7-Zip may follow the symlink and write subsequent files to sensitive locations, potentially leading to arbitrary code execution if a user runs a malicious payload. The vulnerabilities also extend to UNC path symlinks, increasing the risk in networked environments where shared directories are accessible.

The public PoC demonstrates how these vulnerabilities can be leveraged to bypass directory restrictions and write files to protected areas of the file system. While exploitation requires elevated privileges or specific system configurations (such as developer mode), the attack vector remains viable for targeted attacks against high-value systems or users with administrative access.

Industries most at risk include those with automated file processing workflows, such as software development, IT operations, and sectors relying on bulk data extraction or transfer. The vulnerabilities echo previous issues in archive handlers, highlighting the ongoing need for robust validation in file extraction utilities.

Client Impact

Clients using affected versions of 7-Zip may face operational disruptions if attackers exploit these vulnerabilities to overwrite or introduce malicious files into critical system directories. This could result in data breaches, loss of system integrity, or unauthorized code execution, particularly if users inadvertently run compromised files placed on their desktops or other sensitive locations.

Financial consequences may arise from system downtime, incident response efforts, or potential data loss. Additionally, organizations could suffer reputational damage if exploited vulnerabilities lead to publicized breaches or service interruptions. The risk is amplified in environments where users have administrative privileges or where automated extraction processes are in place.

Compliance Implications: Exploitation of these vulnerabilities could lead to unauthorized access or modification of sensitive data, potentially triggering regulatory scrutiny under frameworks such as GDPR, HIPAA, or industry-specific standards. Failure to address these issues may result in audits, penalties, or mandatory breach notifications, especially if personal or regulated data is compromised.

Mitigations

Prompt action is suggested to reduce exposure to these vulnerabilities. The following steps are proposed for consideration:

  1. Update all instances of 7-Zip to version 25.00 or later, as this release addresses the identified vulnerabilities with improved symlink validation.
  2. Disable symlink support during ZIP extraction where feasible, particularly in automated workflows or environments with elevated privileges.
  3. Scan all incoming ZIP archives with reputable antivirus or endpoint protection tools before extraction to detect potential threats.
  4. Audit and monitor file extraction workflows for anomalous file writes, especially those targeting system directories or user desktops.
  5. Restrict administrative privileges and limit the use of developer mode on Windows systems to reduce the risk of successful exploitation.
  6. Educate users about the risks associated with extracting archives from untrusted sources and encourage safe handling practices.
  7. Review and update incident response plans to include procedures for addressing archive-based attacks.

Taking these steps can help reduce the risk of exploitation and support a more resilient security posture. Regularly reviewing and updating extraction tools, combined with user awareness and monitoring, can further limit exposure to similar threats in the future.

1898 & Co. Response

1898 & Co. is actively monitoring developments related to the 7-Zip vulnerabilities and has updated internal security protocols to address these specific risks. Our team is offering targeted vulnerability assessments for clients using 7-Zip or similar archive utilities, helping to identify and remediate potential exposures in automated workflows and critical systems.

We are collaborating with industry peers and security communities to share threat intelligence and best practices for mitigating archive-based attacks. Our ongoing research includes tracking exploit activity and providing timely advisories as new information emerges. In addition, we are supporting clients in implementing secure file handling procedures and reviewing privilege management policies to reduce the risk of exploitation.

Recent engagements have demonstrated the effectiveness of proactive patch management and workflow audits in preventing archive-related incidents. By leveraging our expertise and resources, clients can strengthen their defenses against evolving threats in file extraction and data transfer processes.

Sources

  1. 7-Zip Official Release Notes