High

7-Zip ZIP Symlink Directory Traversal RCE

IdentifiersCVE-2025-11002CWE-22· Improper Limitation of a Pathname…

CVE-2025-11002 is a remote code execution vulnerability in 7-Zip caused by improper handling of symbolic links in ZIP archives. The flaw exists in ZIP file parsing/extraction logic where crafted archive data can cause traversal to unintended directories via symlink processing. Reporting indicates the issue is effectively identical to CVE-2025-11001 and was introduced in 7-Zip 21.02, with fixes released in 7-Zip 25.00. On affected Windows systems, a malicious ZIP can abuse Linux-to-Windows symlink conversion behavior to bypass protections intended to prevent absolute-path link creation, allowing files to be written outside the intended extraction directory. In suitable deployment scenarios, this out-of-directory write can be leveraged to achieve arbitrary code execution in the context of the process handling the archive, including a service account.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can allow an attacker to write files outside the intended extraction directory and, in some scenarios, achieve arbitrary code execution. Where 7-Zip is invoked by an automated workflow or service, code execution may occur in the security context of that service account. The practical impact is highest on Windows systems where 7-Zip runs with elevated privileges, enabling placement of attacker-controlled binaries or other files into sensitive locations.

Mitigation

If you can’t patch tonight, do this now.

Do not open or process untrusted ZIP archives on vulnerable systems until patched. Restrict 7-Zip-based archive handling to low-privilege contexts and avoid running extraction workflows as administrators or privileged service accounts. Where possible, process archives in a sandbox, container, or isolated VM and constrain filesystem permissions so that even successful traversal cannot write to sensitive paths. On Windows, avoid configurations that permit privileged symlink creation unless operationally required.

Remediation

Patch, then assume compromise.

Upgrade 7-Zip to version 25.00 or later, which patches CVE-2025-11002. Also update any products, scripts, or services that bundle or invoke vulnerable 7-Zip versions, particularly deployments using versions 21.02 through 24.09. Validate that archive-processing workflows no longer permit symlink-based writes outside the extraction directory after upgrade.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

7-Zip7-Zipapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

25 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

25 SOURCESView more in app

the hacker newsNews

Nov 19, 2025

Hackers Actively Exploiting 7-Zip Symbolic Link–Based RCE Vulnerability (CVE-2025-11001)

A second 7-Zip vulnerability involving improper symbolic link handling in ZIP archives that can be abused for directory traversal leading to remote code execution; fixed in 7-Zip 25.00 and introduced in 21.02.

security weekNews

Jan 17, 2026

Recent 7-Zip Vulnerability Exploited in Attacks

An identical 7-Zip vulnerability to CVE-2025-11001 (per the content), patched in 7-Zip 25.00; specific exploitation details are not provided in the content.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity23

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-11002

NVD

nvd.nist.gov/vuln/detail/CVE-2025-11002

MITRE CWE · CWE-22

Improper Limitation of a Pathname to a…

Third Party Advisory

zerodayinitiative.com/advisories/ZDI-25-950