The widely used open-source archiver 7-Zip, long perceived as a safe and reliable utility, is now at the center of a serious security incident. According to a recent alert from NHS England Digital, the vulnerability CVE-2025-11001 in the Windows version of 7-Zip is being actively exploited in real-world attacks. Organizations are strongly advised to upgrade to 7-Zip 25.00 without delay.
CVE-2025-11001 in 7-Zip: risk level and core issue
The flaw CVE-2025-11001 has been assigned a CVSS score of 7.0, placing it in the “high severity” category. The vulnerability stems from improper handling of symbolic links (symlinks) inside ZIP archives. A specially crafted archive can trick 7-Zip’s extraction logic into following these links outside the intended directory structure.
In practice, this can allow an attacker to execute arbitrary code in the security context of the user running 7-Zip. If that user account has elevated privileges, the compromise can extend from a single profile to partial or even full system takeover.
How the 7-Zip ZIP symlink vulnerability is exploited on Windows
Symbolic links as the attack vector
Symbolic links are special filesystem objects that act as pointers to other files or folders. When 7-Zip processes a malicious ZIP file containing a chain of symlinks, it can be coerced into writing files outside the target extraction folder, potentially overwriting or dropping payloads into sensitive directories.
The security researcher known as pacbypass has published a proof-of-concept (PoC) exploit for CVE-2025-11001, clarifying several exploitation details. According to this analysis, the issue is specific to Windows and does not manifest on other operating systems, likely due to differences in how symlinks and permissions are implemented.
Conditions required for successful compromise
Based on the available technical information, successful exploitation of CVE-2025-11001 typically requires at least one of the following conditions:
- 7-Zip is executed under a privileged account or service identity with broad filesystem rights;
- The system is running with Windows Developer Mode enabled, which relaxes some restrictions and simplifies symlink creation and handling.
This significantly raises the risk in enterprise environments, where 7-Zip is frequently used in automated jobs, backup scripts, and service processes that run under privileged or service accounts. In such cases, a single malicious archive can become an effective foothold for lateral movement.
Related vulnerability CVE-2025-11002 and affected 7-Zip versions
Alongside CVE-2025-11001, 7-Zip version 25.00 also addresses a closely related flaw, CVE-2025-11002, which likewise affects symlink processing in ZIP archives. This second vulnerability is also rated 7.0 on the CVSS scale and may lead to remote code execution when a user opens a maliciously crafted archive.
Both issues were introduced after 7-Zip version 21.02. All releases from 7-Zip 21.02 up to (but not including) 25.00 are considered vulnerable. For organizations relying on long-lived, “frozen” system images that are rarely updated, this creates a prolonged attack window across desktops, servers, and virtual machine templates.
NHS England Digital alert and evidence of active exploitation
This week, NHS England Digital officially confirmed that CVE-2025-11001 is being actively exploited in the wild. While detailed information about threat actors, targeted sectors, and exact attack chains has not been disclosed, the combination of confirmed incidents and publicly available PoC exploits substantially increases the likelihood of broader, automated exploitation.
Industry reports such as the Verizon Data Breach Investigations Report have repeatedly highlighted that widely deployed utilities are attractive targets: even a single overlooked vulnerability in common tools like archivers, backup software, or remote management agents can provide attackers with scalable entry points across many organizations.
Security recommendations: updating 7-Zip and hardening Windows environments
The most effective mitigation is to upgrade 7-Zip to version 25.00 on all affected systems, as this release contains fixes for CVE-2025-11001 and CVE-2025-11002. Since 7-Zip does not include an automatic update mechanism, the process must be performed manually:
- Download the latest installer only from the official 7-Zip website;
- Verify the integrity of the installer, for example by checking published hashes when available;
- Roll out the update to all endpoints and servers using 7-Zip, including golden images, VDI templates, and container bases.
To further reduce exposure, organizations should:
- Minimize or avoid running 7-Zip under administrative or service accounts unless strictly necessary;
- Review policies for handling incoming archives from untrusted sources, particularly on servers and jump hosts;
- Update software inventories to identify and remove obsolete 7-Zip binaries in forgotten folders, backup archives, and legacy images;
- Enable logging and monitoring around archive extraction activities on critical systems to detect unusual file writes or process behavior.
As attackers increasingly focus on vulnerabilities in ubiquitous tools, maintaining a disciplined patching process, limiting account privileges, and treating all external archives as potentially hostile are becoming foundational elements of cyber hygiene. Promptly deploying 7-Zip 25.00 and tightening operational practices around archival utilities can significantly reduce the likelihood and impact of incidents stemming from CVE-2025-11001 and similar vulnerabilities, strengthening the overall resilience of corporate infrastructure.
