CVE-2025-11001
published 2025-11-19CVE-2025-11001: 7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on…
PriorityP181high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
27.02%
97.8th percentile
7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this product is required to exploit this vulnerability but attack vectors may vary depending on the implementation.
The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of a service account. Was ZDI-CAN-26753.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 7-zip | 7-zip | — | — |
| 7-zip | 7-zip | — | — |
| 7-zip | p7zip | >= 0 < 16.02+transitional.1 | 16.02+transitional.1 |
| debian | 7zip | < 7zip 25.00+dfsg-1 (forky) | 7zip 25.00+dfsg-1 (forky) |
| debian | p7zip | < 7zip 25.00+dfsg-1 (forky) | 7zip 25.00+dfsg-1 (forky) |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect ZIP archives containing symbolic link entries with directory traversal sequences (e.g. '../../../../') in the link target field — the PoC embeds the traversal path inside a Unix extra field (tag 0x756e) of a symlink entry named 'evil.lnk'. ↗
- →Look for ZIP local-file-header entries (magic 0x04034b50) where the extra field contains tag 0x756e (Unix symlink) and the data includes null-terminated path strings with '../' sequences. ↗
- →Alert on 7-Zip processes writing files to sensitive system paths (e.g. C:\Windows\System32) during archive extraction, which is anomalous and indicative of directory traversal exploitation. ↗
- →Active exploitation has been observed in healthcare and finance sectors; treat any 7-Zip extraction of externally sourced ZIP files on unpatched (< 25.00) systems as high-risk. ↗
- →A public proof-of-concept exploit is available; prioritize detection of the PoC's default output filename 'CVE-2025-11001-exploit.zip' in email attachments, web downloads, and file shares. ↗
- ·The vulnerability affects all 7-Zip versions prior to 25.00 on Windows; the fixed version is 25.00. On Debian, the fix is in package version 25.00+dfsg-1 (sid/forky) and 25.01+dfsg-1~deb13u1 (trixie/bookworm). ↗
- ·The exploit requires user interaction — the victim must open or extract the malicious ZIP archive; attack vectors may vary depending on how 7-Zip is integrated (e.g. automated extraction pipelines increase risk without user interaction). ↗
- ·Code executes in the context of the service account running 7-Zip; impact is highest when 7-Zip is run as Administrator or by a privileged service account. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv3.07.0HIGHCVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
osv7.8HIGH
vulncheck7.8HIGH
cisa7.2HIGH
vendor_debian7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h6cw-8q9x-9gj9: 7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability
ghsa_unreviewed·2025-11-20
CVE-2025-11001 [HIGH] CWE-22 GHSA-h6cw-8q9x-9gj9: 7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability
7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this product is required to exploit this vulnerability but attack vectors may vary depending on the implementation.
The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of a service account. Was ZDI-CAN-26753.
OSV
CVE-2025-11001: 7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability
osv·2025-11-19·CVSS 7.8
CVE-2025-11001 [HIGH] CVE-2025-11001: 7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability
7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this product is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of a service account. Was ZDI-CAN-26753.
VulnCheck
7-zip 7-zip Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2025·CVSS 7.8
CVE-2025-11001 [HIGH] 7-zip 7-zip Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
7-zip 7-zip Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this product is required to exploit this vulnerability but attack vectors may vary depending on the implementation.
The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of a service account. Was ZDI-CAN-26753.
Affected: 7-zip 7-zip
Required Action: Apply remediations or mitigations per vendor instructions or discon
Debian
CVE-2025-11001: 7zip - 7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. ...
vendor_debian·2025·CVSS 7.8
CVE-2025-11001 [HIGH] CVE-2025-11001: 7zip - 7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. ...
7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this product is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of a service account. Was ZDI-CAN-26753.
Scope: local
bookworm: open
forky: resolved (fixed in 25.00+dfsg-1)
sid: resolved (fixed in 25.00+dfsg-1)
trixie: resolved (fixed in 25.01+dfsg-1~deb13u1)
CISA
Reolink Multiple IP Cameras OS Command Injection Vulnerability
cisa·2024-12-18·CVSS 7.2
CVE-2019-11001 [HIGH] CWE-78 Reolink Multiple IP Cameras OS Command Injection Vulnerability
Vulnerability: Reolink Multiple IP Cameras OS Command Injection Vulnerability
Affected: Reolink Multiple IP Cameras
Reolink RLC-410W, C1 Pro, C2 Pro, RLC-422W, and RLC-511W IP cameras contain an authenticated OS command injection vulnerability. This vulnerability allows an authenticated admin to use the "TestEmail" functionality to inject and run OS commands as root.
Required Action: The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization if a current mitigation is unavailable.
Notes: https://reolink.com/product-eol/ ; https://reolink.com/download-center/ ; https://nvd.nist.gov/vuln/detail/CVE-2019-11001
Remediation Due Date: 2025-01-08
No detection rules found.
Securelist
Vulnerability landscape in Q4 2025
blogs_securelist·2026-03-06
Vulnerability landscape in Q4 2025
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- C2 frameworks
- Notable vulnerabilities
- Conclusion and advice
Authors
- Alexander Kolesnikov
The fourth quarter of 2025 went down as one of the most intense periods on record for high-profile, critical vulnerability disclosures, hitting popular libraries and mainstream applications. Several of these vulnerabilities were picked up by attackers and exploited in the wild almost immediately.
In this report, we dive into the statistics on published vulnerabilities and exploits, as well as the known vulnerabilities leveraged with popular C2 frameworks throughout Q4 2025.
## Statistics on registered vulnerabilities
This section contains statistics on regis
Securelist
Exploits and vulnerabilities in Q4 2025
blogs_securelist·2026-03-06·CVSS 7.8
CVE-2025-55182 [HIGH] Exploits and vulnerabilities in Q4 2025
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most common published exploits
Vulnerability exploitation in APT attacks
C2 frameworks
Notable vulnerabilities
React2Shell (CVE-2025-55182): a vulnerability in React Server Components
CVE-2025-54100: command injection during the execution of curl (Invoke-WebRequest)
CVE-2025-11001: a vulnerability in 7-Zip
RediShell (CVE-2025-49844): a vulnerability in Redis
CVE-2025-24990: a vulnerability in the ltmdm64.sys driver
CVE-2025-59287: a vulnerability in Windows Server Update Services (WSUS)
Conclusion and advice
Authors
Alexander Kolesnikov
The fourth quarter of 2025 went down as one of the most intense periods on record for high-profile, critical vul
Qualys
Active Exploitation of 7-Zip RCE Vulnerability Shows Why Manual Patching is No Longer an Option | Qualys
blogs_qualys·2025-12-04·CVSS 7.8
CVE-2025-11001 [HIGH] Active Exploitation of 7-Zip RCE Vulnerability Shows Why Manual Patching is No Longer an Option | Qualys
#### Table of Contents
- How Qualys Patch Management Helps Proactively respond to such Vulnerabilities
- Conclusion
A critical remote code execution (RCE) vulnerability in 7-Zip (CVE-2025-11001) is now being actively exploited. The issue stems from improper handling of symbolic links within crafted ZIP files. When a malicious archive is extracted, 7-Zip may write files outside the intended directory, allowing an attacker to overwrite system files or execute arbitrary code with the permissions of a service account.
Originally disclosed in October 2025, the vulnerability carries a CVSS v3 score of 7.0 and affects all versions prior to 25.0.0. Exploitation has been observed across multiple sectors, including healthcare and finance. A related issue, CVE-2025-11002, shares the same underlyin
Qualys
Active Exploitation of 7-Zip RCE Vulnerability Shows Why Manual Patching is No Longer an Option
blogs_qualys·2025-12-04·CVSS 7.8
CVE-2025-11001 [HIGH] Active Exploitation of 7-Zip RCE Vulnerability Shows Why Manual Patching is No Longer an Option
## Table of Contents
How Qualys Patch Management Helps Proactively respond to such Vulnerabilities
Conclusion
A critical remote code execution (RCE) vulnerability in 7-Zip (CVE-2025-11001) is now being actively exploited. The issue stems from improper handling of symbolic links within crafted ZIP files. When a malicious archive is extracted, 7-Zip may write files outside the intended directory, allowing an attacker to overwrite system files or execute arbitrary code with the permissions of a service account.
Originally disclosed in October 2025, the vulnerability carries a CVSS v3 score of 7.0 and affects all versions prior to 25.0.0. Exploitation has been observed across multiple sectors, including healthcare and finance. A related issue, CVE-2025-11002, shares the same underlying cau
Checkpoint
24th November – Threat Intelligence Report
blogs_checkpoint·2025-11-24
CVE-2025-58034 24th November – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 24th November – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 24th November, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
The notorious “Scattered LAPSUS$ Hunters” group claimed responsibility for a supply-chain attack involving the Salesforce-integrated platform Gainsight. The group stated that data from 300 organizations was compromised, including Verizon, GitLab and Atlassian. Salesforce has confirmed unusual activity related to Gainsig
Wiz
CVE-2025-11002 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2025-11002 [HIGH] CVE-2025-11002 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-11002 :
7-Zip vulnerability analysis and mitigation
7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this product is required to exploit this vulnerability but attack vectors may vary depending on the implementation.
The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of a service account. Was ZDI-CAN-26743.
Source : NVD
## 7.8
Score
Published January 23, 2026
Severity HIGH
CNA Score 7.0
Affected Technologies
7-Zip
Linux Debian
2025-11-19
Published
Exploited in the wild