Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2025-11001 — Path Traversal in 7zip

CWE-22 — Path Traversal CWE-78 — OS Command Injection12 documents10 sources

Severity

7.8HIGHNVD

CISA7.2

EPSS

0.2%

top 54.02%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

7-zip P7zip Debian 7zip Debian P7zip +1 more

Timeline

PublishedNov 19

Latest updateApr 8

Description

7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this product is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories. An attacker can …

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages5 packages

▶debiandebian/7zip< 7zip 25.00+dfsg-1 (forky)

▶debiandebian/p7zip< 7zip 25.00+dfsg-1 (forky)

▶Debian7-zip/p7zip< 16.02+transitional.1

▶CVEListV57-zip/7-zip24.09 (x64)

▶NVD7-zip/7-zip24.09

🔴Vulnerability Details

GHSA

GHSA-h6cw-8q9x-9gj9: 7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability↗2025-11-20

▶

OSV

CVE-2025-11001: 7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability↗2025-11-19

▶

VulnCheck

7-zip 7-zip Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')↗2025

▶

💥Exploits & PoCs

Exploit-DB

7-Zip 24.00 - Directory Traversal↗2026-04-08

▶

📋Vendor Advisories

Debian

CVE-2025-11001: 7zip - 7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. ...↗2025

▶

CISA

Reolink Multiple IP Cameras OS Command Injection Vulnerability↗2024-12-18

▶

🕵️Threat Intelligence

Securelist

Vulnerability landscape in Q4 2025↗2026-03-06

▶

Securelist

Exploits and vulnerabilities in Q4 2025↗2026-03-06

▶

Qualys

Active Exploitation of 7-Zip RCE Vulnerability Shows Why Manual Patching is No Longer an Option | Qualys↗2025-12-04

▶

Qualys

Active Exploitation of 7-Zip RCE Vulnerability Shows Why Manual Patching is No Longer an Option↗2025-12-04

▶

Wiz

CVE-2025-11002 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶