cbcvebase.
CVE-2025-11001
published 2025-11-19

CVE-2025-11001: 7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on…

PriorityP181high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
27.02%
97.8th percentile
7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this product is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of a service account. Was ZDI-CAN-26753.

Affected

5 ranges
VendorProductVersion rangeFixed in
7-zip7-zip
7-zip7-zip
7-zipp7zip>= 0 < 16.02+transitional.116.02+transitional.1
debian7zip< 7zip 25.00+dfsg-1 (forky)7zip 25.00+dfsg-1 (forky)
debianp7zip< 7zip 25.00+dfsg-1 (forky)7zip 25.00+dfsg-1 (forky)

Detection & IOCsextracted from sources · hover to see the quote

filenameevil.lnk
version7-Zip < 25.00
  • Detect ZIP archives containing symbolic link entries with directory traversal sequences (e.g. '../../../../') in the link target field — the PoC embeds the traversal path inside a Unix extra field (tag 0x756e) of a symlink entry named 'evil.lnk'.
  • Look for ZIP local-file-header entries (magic 0x04034b50) where the extra field contains tag 0x756e (Unix symlink) and the data includes null-terminated path strings with '../' sequences.
  • Alert on 7-Zip processes writing files to sensitive system paths (e.g. C:\Windows\System32) during archive extraction, which is anomalous and indicative of directory traversal exploitation.
  • Active exploitation has been observed in healthcare and finance sectors; treat any 7-Zip extraction of externally sourced ZIP files on unpatched (< 25.00) systems as high-risk.
  • A public proof-of-concept exploit is available; prioritize detection of the PoC's default output filename 'CVE-2025-11001-exploit.zip' in email attachments, web downloads, and file shares.
  • ·The vulnerability affects all 7-Zip versions prior to 25.00 on Windows; the fixed version is 25.00. On Debian, the fix is in package version 25.00+dfsg-1 (sid/forky) and 25.01+dfsg-1~deb13u1 (trixie/bookworm).
  • ·The exploit requires user interaction — the victim must open or extract the malicious ZIP archive; attack vectors may vary depending on how 7-Zip is integrated (e.g. automated extraction pipelines increase risk without user interaction).
  • ·Code executes in the context of the service account running 7-Zip; impact is highest when 7-Zip is run as Administrator or by a privileged service account.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv3.07.0HIGHCVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
osv7.8HIGH
vulncheck7.8HIGH
cisa7.2HIGH
vendor_debian7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.