Attackers are actively exploiting a high-severity 7-Zip vulnerability, CVE-2025-11001. Attackers use malicious archives to abuse symbolic links, forcing writes outside the intended extraction directory and enabling remote code execution (RCE) when users interact. Review this Cybersecurity Threat Advisory for remediation steps.
What is the threat?
CVE‑2025‑11001 is a high-severity directory traversal vulnerability in 7‑Zip’s ZIP file parsing caused by improper handling of symbolic links. When a victim extracts a crafted archive, 7‑Zip may follow attacker-controlled symlinks and write files outside the intended extraction path, enabling remote code execution (RCE) via planted payloads.
This flaw is part of a broader symlink-parsing issue, with CVE‑2025‑11002 also reported. Public proof-of-concept (PoC) code is available, and 7‑Zip has released version 25.00 to address the vulnerability. All prior versions expose systems to risk when they extract ZIP archives with symbolic links or when users extract files from untrusted sources on platforms that resolve symlinks during extraction.
Why is it noteworthy?
Consumers and enterprises use 7-Zip across endpoints worldwide, which makes this vulnerability high-risk. Improper symlink handling allows attackers to write files outside the extraction path, enabling remote code execution (RCE) and persistence in trusted locations. Exploitation is low-friction—triggered by routine actions like extracting a malicious archive—making phishing and file-sharing effective delivery vectors. Detection is challenging because archive tools routinely modify files, and alerts may only fire when payloads execute.
What is the exposure or risk?
Organizations using 7‑Zip to handle external archives are at risk of endpoint compromise, persistence, and follow‑on operations. The exposure includes:
- RCE on user endpoints via malicious ZIP files that abuse symbolic‑link handling to write outside the intended extraction directory (directory traversal → RCE).
- Payload placement into autorun or trusted locations (e.g., Startup folders, application plug‑in directories) enabling execution with the user’s privileges and persistence after extraction.
- Data theft or ransomware staging after an initial foothold, given the ease of delivery through routine user actions (phishing attachments, file sharing) and confirmed in‑the‑wild exploitation.
- Operational disruption and reputational damage arising from endpoint compromise and subsequent persistence or lateral movement.
What are the recommendations?
Barracuda strongly recommends the following actions to mitigate CVE‑2025‑11001:
- Update all endpoints to 7-Zip version 25.00 or newer.
- Identify and update third‑party applications that embed or bundle 7‑Zip components to ensure they ship the fixed build.
- Educate users to be extra vigilant when receiving external ZIP archives. Until all endpoints are updated, open or extract untrusted archives only in an isolated VM/sandbox to prevent filesystem writes outside intended paths. Instruct users to avoid extracting archives directly into locations that auto‑execute content (e.g., Startup folders, application plug‑in directories) to reduce RCE and persistence opportunities.
- Implement content filtering that flags archives containing symbolic links or entries with path‑escape patterns (e.g., “…/” or absolute paths), and block or quarantine them pending review.
- Enforce least privilege (remove unnecessary local admin) to constrain the impact of arbitrary file writes and subsequent execution.
- Implement application control (e.g., AppLocker/WDAC) to block execution from user‑writable directories and Startup paths commonly abused after extraction.
- Ensure immutable/offline backups are viable and test backup and restore process regularly.
- Quarantine affected hosts when exploitation is suspected. Review recent 7‑Zip activity, file creation in autorun/trusted paths, and remove abnormal persistence artifacts (Run keys, scheduled tasks, dropped binaries). Rotate credentials for impacted users and monitor for follow‑on activity, recognizing that adversaries may move quickly once the initial foothold is established in environments with patch lag.
References
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2025/11/hackers-actively-exploiting-7-zip.html
- https://www.zerodayinitiative.com/advisories/ZDI-25-949/
- https://securityaffairs.com/184850/security/7-zip-rce-flaw-cve-2025-11001-actively-exploited-in-attacks-in-the-wild.html
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.