Comprehensive Threat Exposure Management Platform
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
CVE-2025-11001 represents a critical directory traversal vulnerability in 7-Zip that exploits symbolic link misprocessing in ZIP archives. This 7-Zip security flaw affects Windows systems running versions 21.02 through 24.x, allowing threat actors to redirect file extraction to unintended system paths and achieve remote code execution with elevated privileges. The CVE-2025-11001 vulnerability was first identified in May 2025 and patched in 7-Zip version 25.00 released in July 2025. With publicly available proof-of-concept exploits, this 7-Zip remote code execution vulnerability poses significant operational risks to organizations using vulnerable 7-Zip versions on Windows platforms. The directory traversal flaw carries an Admiralty Code rating of A1 and a Red threat level, indicating confirmed, reliable intelligence regarding this critical security vulnerability.
CVE-2025-11001 is a directory traversal defect in 7-Zip’s handling of symbolic links embedded within ZIP archives. The vulnerability stems from improper processing of symbolic links that use Windows-style absolute paths, which 7-Zip incorrectly interprets as relative paths during extraction operations. This 7-Zip symbolic link vulnerability enables attackers to craft malicious ZIP archives containing symbolic links designed to redirect extraction operations to arbitrary filesystem locations beyond the intended extraction directory.
When vulnerable 7-Zip versions extract specially crafted ZIP files containing malicious symbolic links, the application creates these links pointing to arbitrary system directories. Subsequent archive contents then pass through these symbolic links and are written outside the intended extraction path. This directory traversal technique allows threat actors to modify critical system files, overwrite legitimate executables, or place hostile payloads in sensitive system locations, ultimately achieving remote code execution under the privileges of the affected service or user.
The CVE-2025-11001 vulnerability was introduced in 7-Zip version 21.02 and affects all subsequent versions prior to the patched release. A related vulnerability, CVE-2025-11002, shares similar characteristics and was addressed simultaneously. Both CVE-2025-11001 and CVE-2025-11002 were corrected in 7-Zip version 25.00. The vulnerability specifically affects Windows systems and becomes exploitable when 7-Zip executes with elevated privileges or when Windows Developer Mode is enabled on the target system.
Malicious ZIP archives exploiting CVE-2025-11001 can appear as routine compressed files while containing symbolic links designed to mimic standard filesystem shortcuts. Instead of confining extraction operations to the target directory, the 7-Zip symbolic link flaw redirects extraction to sensitive system areas, enabling file overwrites and unauthorized code execution. The availability of confirmed proof-of-concept exploit code significantly elevates the operational risk associated with this 7-Zip remote code execution vulnerability.
Affected Products: 7-Zip versions prior to 25.00 on Windows platforms
CVE Classification: CWE-22 (Improper Limitation of a Pathname to a Restricted Directory)
Affected CPE: cpe:2.3:a:7-zip:7-zip::::::::
Software Hardening: Organizations must ensure all systems run 7-Zip version 25.00 or later, which represents the first release fully addressing CVE-2025-11001 and related directory traversal vulnerabilities. Security teams should remove every older 7-Zip installation and eliminate duplicate installations to prevent residual attack paths. Implement controlled software baselines across all endpoints to prevent the use of unauthorized archive utilities and vulnerable 7-Zip versions. Software inventory management systems should identify and remediate any legacy 7-Zip installations that remain vulnerable to CVE-2025-11001 exploitation.
System Integrity Assurance: Conduct regular audits of system directories that represent likely targets for directory traversal overwrite attempts. Implement monitoring to track unauthorized file modifications, new binary appearances, or abnormal write patterns in protected system locations. Integrate endpoint detection and response rules capable of detecting or blocking symlink-based traversal events and unauthorized payload placement. File integrity monitoring solutions should alert on unexpected changes to critical system files that could indicate exploitation of the 7-Zip directory traversal vulnerability.
Monitor Extraction Behavior: Implement pre-extraction scanning to check ZIP files for embedded symbolic links before processing with 7-Zip. Deploy detection mechanisms to alert on any extraction attempt that writes files outside the designated target directory. Log all archive extraction activity on systems that handle sensitive data or operate with elevated privileges. Security information and event management platforms should correlate extraction anomalies with potential CVE-2025-11001 exploitation attempts to enable rapid incident response.
TA0002 – Execution
TA0003 – Persistence
TA0005 – Defense Evasion
TA0007 – Discovery
Get through updates and upcoming events, and more directly in your inbox