The Zero Day Initiative (ZDI) has published details of two critical in the popular open-source compression utility 7-Zip, which could allow attackers to execute arbitrary code by tricking users into opening specially crafted ZIP files. Both have been patched in 7-Zip version 25.00.
According to the ZDI advisory, “This allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this product is required to exploit this but attack vectors may vary depending on the implementation.”
Both vulnerabilities — CVE-2025-11001 and CVE-2025-11002 — share the same underlying weakness: improper handling of symbolic links inside ZIP archives. The allows a malicious ZIP file to traverse outside the intended extraction directory, leading to potential overwriting or execution of arbitrary files.
As described in the advisory, “The specific exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories.”
By exploiting this issue, attackers could execute arbitrary code “in the context of a service account,” potentially gaining elevated privileges depending on how 7-Zip is used within the system.
Exploitation of these vulnerabilities requires some degree of user interaction — such as opening or extracting a malicious ZIP file — but ZDI warns that attack vectors may vary depending on how 7-Zip is integrated into applications.
While standalone 7-Zip users must manually open a file, embedded or automated systems using 7-Zip libraries could be exploited silently, especially in server-side file processing environments or cloud-based decompression workflows.
Directory traversal vulnerabilities in archive tools can have serious consequences, particularly in enterprise environments where compressed files are processed automatically. Attackers can:
- Overwrite configuration or startup files, enabling persistence.
- Drop malicious executables into trusted directories.
- Trigger remote code execution if the overwritten file is later executed by the system or a privileged service.
Even though direct exploitation requires user action, the simplicity of ZIP delivery makes these bugs highly attractive for phishing and malware campaigns. Attackers could disguise a malicious archive as a resume, invoice, or project file — tricking users into unzipping it with 7-Zip.
Both vulnerabilities have been fixed in 7-Zip version 25.00.
- CVE-2025-0411: 7-Zip Security Vulnerability Enables Code Execution – Update Now
- Two Vulnerabilities in 7-Zip Could Trigger Denial of Service
- CVE-2025-55188: 7-Zip Arbitrary File Write Flaw Could Lead to Code Execution
- CVE-2025-0411: 7-Zip Vulnerability Exploited in Attacks on Ukraine
- PoC for 7-Zip CVE-2025-0411 Lets Attackers Bypass MotW and Run Malicious Code
