CVE-2025-11001 is a critical security vulnerability in the widely used 7-Zip file archiver software, specifically impacting Windows platforms. The vulnerability arises from improper handling of symbolic links within ZIP archives, which enables crafted ZIP files to perform directory traversal attacks. This flaw allows an attacker to manipulate the extraction process to traverse to unintended directories and execute arbitrary code remotely. The vulnerability was introduced in 7-Zip version 21.02 and patched in version 25.00 released in July 2025. Exploitation requires the attacker to operate within the context of an elevated user or service account or on a machine with developer mode enabled, limiting the attack surface but still posing a significant risk. The NHS England Digital advisory confirms active exploitation in the wild, although details on the attack vectors and threat actors remain undisclosed. The flaw enables attackers to execute code with the privileges of the targeted service account, potentially leading to full system compromise. The discovery and reporting were credited to Ryota Shiga and GMO Flatt Security’s AI-powered AppSec Auditor Takumi. Additionally, 7-Zip 25.00 addresses a related vulnerability, CVE-2025-11002, with similar characteristics. The presence of proof-of-concept exploits heightens urgency for patching. Given 7-Zip’s widespread use across various sectors, including government and healthcare, the vulnerability represents a significant threat vector for ransomware, data theft, or persistent access if left unmitigated.

For European organizations, the impact of CVE-2025-11001 can be severe, particularly in sectors that rely heavily on 7-Zip for file management, such as healthcare, government, finance, and critical infrastructure. The NHS England Digital advisory highlights the healthcare sector’s exposure, where exploitation could lead to unauthorized access to sensitive patient data, disruption of healthcare services, or deployment of ransomware. The ability to execute arbitrary code with service account privileges can facilitate lateral movement within networks, data exfiltration, or installation of persistent malware. Organizations using Windows environments with developer mode enabled or services running under elevated privileges are at heightened risk. The vulnerability’s exploitation could undermine confidentiality, integrity, and availability of critical systems. Given the active exploitation reports, European entities face immediate threats from cybercriminal groups or state-sponsored actors seeking to leverage this vulnerability for espionage, sabotage, or financial gain. The potential for widespread impact is amplified by 7-Zip’s popularity and the common practice of exchanging ZIP archives in business workflows.

1. Immediately upgrade all 7-Zip installations to version 25.00 or later to apply the official patch addressing CVE-2025-11001 and CVE-2025-11002. 2. Audit and restrict the use of elevated privileges and service accounts running 7-Zip processes; avoid running 7-Zip under high-privilege contexts where possible. 3. Disable developer mode on Windows machines unless explicitly required, as it expands the attack surface for this vulnerability. 4. Implement strict file validation and scanning policies for incoming ZIP files, especially those received from untrusted sources, to detect and block malicious archives containing symbolic links. 5. Monitor logs and network activity for unusual behavior related to ZIP file extraction or execution of unexpected processes. 6. Educate users and administrators about the risks of opening ZIP files from unknown or suspicious origins. 7. Employ application whitelisting and endpoint detection and response (EDR) solutions to detect and prevent exploitation attempts. 8. Conduct penetration testing and vulnerability assessments focusing on ZIP file handling and privilege escalation vectors within the environment.