7-Zip is third party EU FOSS approved software used to encrypt/decrypt many file formats, including zip, .tar, .gz, .rar and proprietary .7z format.
The vulnerability in question is CVE-2025-11001 (CVSS score: 7.0, October 7th, 2025), which allows remote attackers to execute arbitrary code using symbolic links.
Symlinks in Windows 10! - Excellent article and demonstrates how a symbolic link can run an executable.
Also fixed was CVE-2025-11002 (CVSS score: 7.0), that allows for remote code execution by taking advantage of improper handling of symbolic links within ZIP archives, resulting in directory traversal. Both shortcomings were introduced in version 21.02.
How to Fix
Fixed in 7-Zip version 25.01 (25.00 has been removed from download page)
Upgrade your 7-zip now - Download (7-zip.org) - Confirmed working on Windows 7.
POC Code
pacbypass/CVE-2025-11001: Exploit for CVE-2025-11001 or CVE-2025-11002 (github.com)
No comments:
Post a Comment