Urgently Update 7-Zip! Two Critical Vulnerabilities Give Hackers a Direct Path to Your System
Researchers remained silent for three months — now the information is public.
Researchers remained silent for three months — now the information is public.
Two critical vulnerabilities in the 7-Zip archiver allowed remote code execution when processing ZIP files. The errors are related to how the program handles symbolic links within archives, making it possible to escape the intended directory and replace system files.
The issues are tracked under the identifiers CVE-2025-11002 and CVE-2025-11001. In both cases, an attacker only needs to prepare a ZIP archive with a specific structure that includes links pointing to external directories. When a vulnerable version of 7-Zip unpacks such an archive, the program follows the link and extracts the content outside the target folder. This allows for the replacement or injection of malicious components into critical system areas.
A potential attack looks like this: an archive is created containing an item that links, for example, to a malicious library in the system32 directory. If such a file is unpacked by a process with administrator privileges, the library is placed into the system directory and can be executed automatically—via a scheduled task or when the required module loads. Exploitation does not require elevated privileges; user interaction with the malicious archive is sufficient.
According to research teams, the threat is especially dangerous for corporate systems where ZIP files are processed automatically—during backups, file sharing, or installing updates. In such scenarios, arbitrary code injection can lead to the compromise of the entire infrastructure.
The 7-Zip developers fixed the vulnerabilities in version 25.00. The update implements strict path validation and blocks symbolic links that escape the extraction directory boundaries. The authors were notified about the issue on May 2, 2025, the fix was released on July 5, and public disclosure occurred on October 7.
Experts recommend installing the latest version of the program and checking systems where archives are unpacked automatically. Signs of a breach may include the appearance of unknown libraries or executable files in protected directories and the presence of ZIP files with suspiciously long paths in their names.
Timely software updates, checking operation logs, and filtering archive contents remain reliable defenses against such attacks.
