Active Exploitation of 7-Zip Symbolic Link Vulnerability (CVE-2025-11001)
Attackers are actively exploiting a critical vulnerability in 7-Zip, identified as CVE-2025-11001, which allows remote code execution through improper handling of symbolic links in ZIP files. The flaw, introduced in 7-Zip version 21.02 and fixed in version 25.00, enables attackers to craft malicious ZIP archives that can traverse directories and execute code in the context of a service account, but only on Windows systems with elevated privileges or Developer Mode enabled. NHS England Digital and multiple security researchers have confirmed active exploitation in the wild, and proof-of-concept exploits have been published, increasing the urgency for organizations to update affected systems.
The vulnerability was discovered by Ryota Shiga of GMO Flatt Security using an AI-powered application security auditor and was publicly disclosed via the Zero Day Initiative. Security advisories emphasize that exploitation is limited to specific Windows configurations, but the presence of public PoC code raises the risk of broader attacks. Users and organizations are strongly advised to upgrade to 7-Zip version 25.00 or later to mitigate the threat and prevent potential compromise from malicious ZIP files leveraging this vulnerability.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Microsoft begins tracking related malicious activity
Microsoft reported that it was tracking malicious activity related to exploitation attempts for CVE-2025-11001 under a specific detection name. This indicated vendor awareness and monitoring of abuse tied to the 7-Zip flaw.
NHS England Digital warns CVE-2025-11001 is being actively exploited
NHS England Digital issued an alert that CVE-2025-11001, a 7-Zip remote code execution flaw, was being actively exploited in the wild. The agency did not identify the threat actor or provide details on how the vulnerability was being weaponized.
Public proof-of-concept exploit for CVE-2025-11001 emerges
A researcher using the name "pacbypass" released a working proof-of-concept exploit for CVE-2025-11001, increasing the risk of abuse. The PoC author said exploitation is limited to Windows and generally requires an elevated user or service account context, or a machine with Developer Mode enabled.
Technical details of CVE-2025-11001 are publicly disclosed
Trend Micro's Zero Day Initiative publicly described CVE-2025-11001 as an improper handling of symbolic links in ZIP archives that can write outside the intended extraction path. The disclosure explained that exploitation could lead to code execution in the context of a service or elevated account on Windows systems.
7-Zip 25.00 released with fixes for CVE-2025-11001 and CVE-2025-11002
7-Zip version 25.00 was released in July 2025 to patch CVE-2025-11001, a symbolic link handling flaw that can enable directory traversal and remote code execution, as well as the related CVE-2025-11002. The update required manual or enterprise-managed deployment because 7-Zip lacks an internal auto-update mechanism.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Critical 7 Zip Vulnerability With Public Exploit Requires Manual Update
hackread.com
Open sourceCritical 7-Zip Vulnerability CVE-2025-11001 Prompts NHS Cyber Alert
thecyberexpress.com
Open sourceActive exploitation of 7-Zip vulnerability reported
scworld.com
Open source7-Zip vulnerability is being actively exploited, NHS England warns (CVE-2025-11001)
helpnetsecurity.com
Open sourceHackers Actively Exploiting 7-Zip Symbolic Link–Based RCE Vulnerability (CVE-2025-11001)
thehackernews.com
Open source7-Zip RCE flaw (CVE-2025-11001) actively exploited in attacks in the wild
securityaffairs.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Remote Code Execution Vulnerabilities in 7-Zip via Malicious ZIP Archives
Two high-severity vulnerabilities in the widely used open-source compression utility 7-Zip have been disclosed, allowing attackers to achieve remote code execution by leveraging specially crafted ZIP archives. The flaws, identified as CVE-2025-11001 and CVE-2025-11002, were reported by Trend Micro’s Zero Day Initiative and affect multiple builds of 7-Zip. These vulnerabilities arise from improper parsing of symbolic links within ZIP files, enabling a malicious archive to escape its intended extraction directory and write files to arbitrary locations on the victim’s system. If exploited, this directory traversal can be chained to execute arbitrary code with the privileges of the user running 7-Zip, potentially compromising the entire Windows environment. Both vulnerabilities have been assigned a CVSS base score of 7.0, reflecting their significant risk. Exploitation requires minimal user interaction; simply opening or extracting a malicious ZIP file is sufficient to trigger the attack. The vulnerabilities were quietly patched in 7-Zip version 25.00, released on July 5, 2025, but details were not publicly disclosed until October, leaving users unaware and exposed for several months if they had not updated. The lack of an automatic update mechanism in 7-Zip exacerbates the risk, as many users may not be running the latest, patched version. The vulnerabilities specifically allow attackers to overwrite or plant payloads in sensitive system paths, which can be used to hijack execution flow and escalate privileges. Security advisories emphasize the importance of updating to version 25.00 or later to mitigate these risks. The flaws highlight the ongoing challenges in securing widely deployed open-source tools, especially those lacking robust update mechanisms. Organizations relying on 7-Zip for file compression and extraction should prioritize patching and consider additional controls to limit the impact of potential exploitation. The vulnerabilities underscore the need for user awareness regarding the risks of opening files from untrusted sources. Security researchers warn that similar directory traversal and symlink handling issues may exist in other archiving tools, warranting broader scrutiny. The incident demonstrates the value of coordinated vulnerability disclosure and timely patch adoption. Enterprises are advised to audit their environments for outdated 7-Zip installations and deploy the latest version as a matter of urgency. The disclosure also serves as a reminder for software maintainers to implement secure default behaviors and consider automated update features to protect end users.
Jun 30, 2026
Critical 7-Zip NTFS Handler Flaw Enables Code Execution via Crafted Archives
Researchers disclosed **CVE-2026-48095**, a critical heap buffer overflow in 7-Zip affecting version `26.00` and earlier that can lead to application crashes, denial of service, or arbitrary code execution. The bug, reported by Jaroslav Lobačevski of GitHub Security Lab and tracked in advisory `GHSL-2026-140`, resides in the NTFS archive handler’s `CInStream::GetCuSize()` logic, where an under-allocation can shrink a buffer to 1 byte before a later operation writes up to 256 MB of attacker-controlled data into it. The resulting heap corruption can overwrite adjacent objects, including a stream object’s **vtable** pointer, creating a path to code execution. The vulnerability can be triggered simply by opening a specially crafted file because 7-Zip uses signature-based fallback detection and may route files disguised as `.7z`, `.zip`, or `.rar` into the vulnerable NTFS parser regardless of extension. Reports say both 32-bit and 64-bit builds are affected, with 64-bit systems that have sufficient memory more likely to reach reliable code execution, while lower-memory systems may instead crash. Public disclosure included technical details and a Python proof-of-concept generator, raising the risk of weaponization; the issue carries a **CVSS 3.1 score of 8.8**, and users are being urged to update 7-Zip and avoid opening untrusted archives.
Jun 29, 2026
Critical 7-Zip Heap Overflow in NTFS Parsing Enables Possible Code Execution
A critical vulnerability in **7-Zip** tracked as `CVE-2026-48095` and `GHSL-2026-140` allows attackers to trigger a heap-based buffer overflow when a user opens a specially crafted archive containing an **NTFS volume image**. The flaw affects **7-Zip 26.00 and earlier** and stems from incorrect buffer size calculations and insufficient boundary checks in the NTFS handler, where a computed buffer can shrink to **1 byte** while later logic writes up to **256 MB** of attacker-controlled data into it. Researchers said the bug can cause memory corruption, crashes, denial of service, and potentially **arbitrary code execution**, including through possible vtable pointer overwrite under favorable conditions. The vulnerable NTFS handler is enabled by default in stock `7z.dll`, and exploitation does not depend on a specific file extension because 7-Zip uses signature-based fallback matching for NTFS images. The issue was privately reported to the developers in April and fixed in **7-Zip 26.01**, with vendor and researcher advisories later published alongside a Python proof-of-concept. With 7-Zip widely deployed on Windows and Linux systems and embedded in automated workflows and other software, defenders have little mitigation beyond upgrading to the patched release because no workaround has been identified.
Jun 29, 2026