A recent development in cybersecurity has unveiled a proof-of-concept (PoC) exploit for two significant vulnerabilities in 7-Zip, one of the most popular file archivers used worldwide. These vulnerabilities, tracked as CVE-2025-11001 and CVE-2025-11002, have the potential to allow malicious actors to execute arbitrary code remotely via compromised ZIP files.
Disclosed by the Zero Day Initiative (ZDI) on October 7, 2025, these striking flaws arise from 7-Zip’s handling of symbolic links during the extraction process, specifically in Windows environments. Both vulnerabilities carry a CVSS v3.0 score of 7.0, indicating their substantial risk despite being initially perceived as lower threat vectors.
Versions of 7-Zip ranging from 21.02 to 24.09 are impacted. Ryota Shiga of GMO Flatt Security Inc. identified the underlying issues, which play on the way 7-Zip converts Linux symlinks to Windows equivalents without implementing adequate security checks. In a thorough analysis shared by security researcher pacbypass, it was revealed that the flaws emerge from the ArchiveExtractCallback.cpp module, strikingly within functions such as IsSafePath and CLinkLevelsInfo::Parse.
Unpacking the Symlink Flaws
The crux of the matter lies in 7-Zip’s flawed extraction logic that inadequately validates the targets of symlinks. When the software is tasked with extracting a ZIP file containing a Linux symlink that points to a Windows absolute path, such as C:\Users, it erroneously misclassifies it as a relative path due to an ineffective absolute path check, which is crafted for Linux or Windows Subsystem for Linux (WSL) environments.
This lapse bypasses crucial safety protocols embedded in the IsSafePath function, allowing the symlink to resolutely navigate outside the confines of the designated extraction directory. Furthermore, during the symlink creation process in SetFromLinkPath, 7-Zip appends the extraction folder path to the target, crafting a facade of a safe relative path that skillfully evades validation checks.
A concerning oversight in CloseReparseAndFile enables this symlink to point haphazardly outside directory-specific checks for non-directories, facilitating potential malicious exploitation. Fortunately, patches included in version 25.00 of 7-Zip reintroduce a more robust IsSafePath function that incorporates an isWSL flag and enhances parsing to accurately detect absolute paths, effectively sealing these security gaps.
Detailed analysis through diffs between versions 24.09 and 25.00 on GitHub reveals extensive reworking of symlink support. One of the CVEs relates directly to path traversal, while the other deals with UNC path symlinks, heightening risks in network environments.
To exploit these vulnerabilities, a malicious actor would need to craft a ZIP file in which a symlink extracts first, redirecting subsequent files to sensitive locations, such as the user’s Desktop or system folders. For example, an archive could include a symlink named “link” that directs users to the path C:\Users\[Username]\Desktop, followed by a payload, such as calc.exe. Upon extraction, 7-Zip may inadvertently follow the symlink, placing the executable in the specified directory—introducing a serious risk of arbitrary code execution should the user inadvertently execute it.
The PoC, easily accessible via pacbypass’s GitHub repository, showcases how to unpack a directory structure that dereferences the symlink, allowing unauthorized file writes. However, successfully exploiting the vulnerabilities does necessitate elevated privileges, developer mode, or an elevated service context, which constrains this threat primarily to targeted attacks, as opposed to widespread phishing tactics. It’s important to note that the exploitation works solely on Windows systems, thereby neglecting users operating within Linux or macOS environments.
Mitigations
In light of these findings, users are urged to update their 7-Zip applications to version 25.00 without delay, as this release comprehensively rectifies the noted vulnerabilities. Additionally, disabling symlink support during the extraction process or using antivirus software to scan archives can aid in diminishing susceptibility. These security vulnerabilities serve as a potent reminder of the ongoing risks associated with archive handling software, resonating with past incidents involving 7-Zip and similar directory traversal concerns.
With the PoC now publicly available, there is a tangible threat that attackers might weaponize these vulnerabilities as an initial access vector for phishing campaigns. Organizations that depend on 7-Zip for mass extractions should closely audit their workflows and remain vigilant for any anomalous file writes, potentially averting serious repercussions in the face of this emerging threat.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
