7‑Zip Under Fire: How a Quiet Vulnerability Turned Into a Global Exploitation Wave

Listen to this Post

Featured Image

Opening Overview

A critical warning has emerged from NHS England about a newly patched 7‑Zip vulnerability that cybercriminals are already exploiting in real environments. Although the flaw was fixed months ago, unpatched systems are now being targeted with active techniques that allow attackers to execute malicious code through symbolic‑link manipulation. This unfolding situation highlights a dangerous reality: even medium‑severity bugs can become high‑impact weapons when attackers strike before organizations update their systems.
The following breakdown details what happened, how the flaw works, and why security teams must respond urgently.

Incident Summary and Key Details (Around )

Discovery of the Vulnerability

A newly patched security bug in 7‑Zip, labeled CVE‑2025‑11001 and rated with a CVSS score of 7.0, has become the center of active exploitation attempts. Initially reported by Ryota Shiga of GMO Flatt Security, the issue was discovered alongside a second identical flaw, tracked as CVE‑2025‑11002.

Nature of the Flaw

The bug stems from the way 7‑Zip processes symbolic links in ZIP files. Specifically, a directory traversal issue allows crafted symbolic‑link data to trick 7‑Zip into writing files outside of the intended extraction directory. This allows attackers to break out of the safety boundaries normally enforced by the system.

User Interaction Required

For the exploit to succeed, the victim must interact with the ZIP file, such as by opening or extracting it. Once this happens, malicious links can be parsed in a way that gives attackers dangerous levels of access.

Potential for Remote Code Execution

Trend Micro’s Zero Day Initiative (ZDI) explained that attackers can take advantage of the flaw to run code under the security context of a service account. Because many service accounts hold administrative privileges, the potential impact increases significantly.

Vulnerable 7‑Zip Versions

Versions from 21.02 through 24.09 are affected on Windows systems specifically, due to how Linux symbolic links are converted into Windows paths. This conversion gap becomes the opening that attackers abuse.

Patch Availability

The issue was reported to 7‑Zip developers in May and patched in version 25.00, released in July. However, many systems remain outdated, forming an active target base for cybercriminals.

Active Exploitation in the Wild

NHS England has issued a strong warning confirming real‑world attacks. The agency reported that threat actors are using a publicly available proof‑of‑concept exploit, which simplifies the process of abusing the symbolic‑link weakness.

Mechanics of the Exploit

Security engineer Dominik C. explained that the parser treats Linux symbolic links incorrectly when converting them into Windows paths. Links that appear relative are actually treated as absolute, enabling attackers to bypass safety checks designed to block risky link placements.

Administrative Context Required

Because symbolic‑link creation is a privileged operation on Windows, the exploit is only meaningful when 7‑Zip runs under administrative or service‑level accounts. Under these conditions, attackers can place malicious binaries wherever they choose.

Wider Security Ecosystem Impact

This vulnerability joins a growing list of file‑handling flaws being weaponized, including recent exploitation of Ray AI framework bugs, FortiWeb issues, and previous 7‑Zip zero‑days used by Russian threat actors against Ukraine. The pattern highlights how attackers increasingly target common utilities and backup tools not traditionally seen as high‑risk.

What Undercode Say: (Around 40 Lines of Analysis)

Why This Vulnerability Escalated Quickly

The rapid shift from patch release to active exploitation signals a broader trend in the cybersecurity landscape: attackers are now aggressively scanning for unpatched versions of widely used tools, especially those tied to file management. Since 7‑Zip is deeply integrated into countless enterprise workflows, any flaw in its path‑handling logic becomes a strategic opportunity.

The Misunderstood Danger of Mid‑Severity Bugs

CVE‑2025‑11001 carries a CVSS score of 7.0, which many teams mistakenly categorize as “non‑urgent.” However, scoring does not capture real‑world exploitability. In practice, anything allowing write‑outs beyond controlled directories introduces system compromise potential. Attackers understand this better than many organizations do.

Symbolic‑Link Manipulation Remains a High‑Value Attack Vector

Symbolic links have long been used in bypass attacks, privilege escalations, and filesystem corruption scenarios. Tools like 7‑Zip often assume predictable link behavior, yet translation between platforms introduces quirks. Attackers thrive on these overlooked corner cases. Here, Linux‑to‑Windows conversion logic created precisely that kind of exploitable gap.

Why Service Accounts Increase the Blast Radius

When 7‑Zip runs under typical user permissions, the exploit’s impact is limited. But enterprise systems frequently automate archival tasks with elevated service accounts. These processes often have write permissions in sensitive directories. Attackers abusing these configurations can plant binaries that the system later executes automatically, leading to full compromise.

The Hidden Risk of Automation Pipelines

Many companies integrate 7‑Zip into backup scripts, deployment pipelines, and scheduled data transfers. If any of these pipelines rely on vulnerable versions, an attacker only needs to trick the system into processing a malicious archive. Human interaction still exists, but in automated environments, human awareness is minimal.

Proof‑of‑Concept Availability Accelerates Threat Adoption

The public release of a PoC dramatically lowers the barrier to entry for cybercriminals. Attackers no longer need deep technical knowledge; they can use packaged scripts to trigger the issue. This is why NHS England’s warning carries urgent weight. More threat actors will join the exploitation wave as PoC awareness spreads.

The Windows‑Specific Flaw Demonstrates Cross‑Platform Inconsistency Risks

A major lesson here is that cross‑platform file conversion is rarely straightforward. Even mature tools struggle with path normalization issues. Developers must treat symbolic‑link handling with zero trust, especially when translating between OS semantics. Overly relaxed assumptions introduce structural weaknesses that attackers can exploit.

Patch Adoption Gap Shows Ongoing Defensive Weakness

Although the fix has been available since July, many environments appear unpatched months later. This reflects the broader problem of slow update cycles, especially when tools are embedded deep in enterprise processes. Organizations underestimate the risk posed by utilities that “just handle files,” not recognizing that any write‑capable tool is part of their attack surface.

Historic Echoes from Previous 7‑Zip Exploits

This is not the first time 7‑Zip has been used in targeted campaigns. Russian actors exploited a separate zero‑day in earlier attacks against Ukraine. While unrelated, that incident demonstrated that 7‑Zip is an appealing target because its ubiquity grants attackers a massive potential victim pool.

What This Means for Cyber Defenders Going Forward

Security teams must recognize that file‑handling tools are prime targets. Any utility capable of reading or extracting data should be monitored and patched aggressively. Automated systems that rely on elevated accounts should be audited for downgrade opportunities. And above all, organizations must assume that attackers will exploit every available window of opportunity between disclosure and patch adoption.

Fact Checker Results

NHS England publicly confirmed active exploitation of CVE‑2025‑11001. ✅

PoC exploit code is available and contributes to rising attack activity. ✅

Vulnerability only provides meaningful impact when 7‑Zip runs with elevated permissions. ❗

Prediction

Attackers will continue exploiting outdated 7‑Zip installations, especially in organizations that rely on automated file extraction workflows. Cybercriminals are likely to integrate the PoC into broader malware campaigns, and future ransomware operators may adopt the technique for lateral movement. Expect increased targeting of enterprise systems where service accounts use 7‑Zip for backup and deployment tasks.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: www.securityweek.com
Extra Source Hub (Possible Sources for article):
https://www.facebook.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon