Hackers Target 7-Zip in Active Exploitation Campaign
In the latest cybersecurity news today, security experts have warned users about an actively exploited vulnerability in 7-Zip, one of the world’s most popular file compression utilities. The flaw, tracked as CVE-2025-11001, has a CVSS score of 7.0 and allows remote attackers to execute arbitrary code on vulnerable systems.
According to a security advisory issued by NHS England Digital, the vulnerability has already been observed under active exploitation in the wild. Researchers are urging users and organizations to update 7-Zip to version 25.00, which includes critical patches for this and another related security issue.
Details of the 7-Zip Vulnerability CVE-2025-11001
The 7-Zip vulnerability lies in the program’s handling of symbolic links within ZIP files. Security firm Trend Micro’s Zero Day Initiative (ZDI) revealed that attackers can craft malicious ZIP archives that exploit this weakness to force the software to traverse unintended directories.
“An attacker can leverage this vulnerability to execute code in the context of a service account,” the ZDI stated in its recent advisory. This means that if an unsuspecting user extracts or interacts with a malicious ZIP file, the attacker could potentially gain system-level access.
The issue was discovered by Ryota Shiga of GMO Flatt Security Inc., assisted by the company’s AI-powered AppSec Auditor Takumi. The researchers reported their findings earlier this year, leading to a prompt fix in the 7-Zip 25.00 update released in July 2025.
Another Similar Flaw Patched in Version 25.00
In addition to CVE-2025-11001, the same update also addresses CVE-2025-11002, another vulnerability with a similar CVSS score of 7.0. This flaw also involves the improper handling of symbolic links and could allow for remote code execution via directory traversal attacks.
Both vulnerabilities were introduced in 7-Zip version 21.02, which means users who have not updated since that version are at serious risk.
“Active exploitation of CVE-2025-11001 has been observed in the wild,” said NHS England Digital. Although technical details about the attacks remain limited, the agency confirmed that malicious actors are taking advantage of the flaw.
Proof-of-Concept Exploits Circulating Online
Adding to the urgency, a proof-of-concept (PoC) exploit for the vulnerability has already been made public by independent security researcher Dominik (known as pacbypass).
Dominik clarified that the vulnerability can only be exploited on Windows systems, and typically requires elevated privileges or a machine with developer mode enabled. However, experts warn that this does not eliminate the threat, especially for enterprise users who often operate with higher system privileges.
Given that a working exploit is available, cybersecurity professionals emphasize that prompt patching is critical to prevent targeted attacks. Users are advised to verify their 7-Zip version and install the latest update immediately.
What Users and Organizations Should Do
Cybersecurity analysts recommend the following steps to mitigate the threat:
- Update immediately to 7-Zip version 25.00 or newer.
- Avoid opening or extracting files from untrusted ZIP archives.
- Restrict user privileges and disable developer mode if not necessary.
- Implement endpoint protection tools that can detect malicious ZIP file activity.
Organizations should also conduct vulnerability scans to identify outdated versions of 7-Zip within their networks. IT departments are urged to enforce patch management policies to ensure all systems remain up to date.
Broader Implications for Software Security
The active exploitation of CVE-2025-11001 underscores the growing challenges faced by open-source software maintainers. Even widely trusted utilities like 7-Zip are becoming prime targets for threat actors seeking to infiltrate systems through overlooked vulnerabilities.
Experts point out that the incident highlights the importance of responsible disclosure, automated vulnerability testing, and timely patch adoption. As cyber threats continue to evolve, both individual users and enterprises must stay vigilant against emerging exploits.
Conclusion
The discovery and ongoing exploitation of the 7-Zip symbolic link vulnerability serve as a reminder that even small utilities can pose significant risks when not properly updated. With proof-of-concept exploits available online and reports of real-world attacks, immediate action is necessary to secure systems.
Users should confirm they are running 7-Zip version 25.00 or later, apply security updates, and remain cautious when handling compressed files from unknown sources.
For continuous updates on cybersecurity news today, vulnerability alerts, and data protection strategies, visit StartupNews.fyi.
