CVE-2025-11001 Overview
CVE-2025-11001 is a directory traversal vulnerability in 7-Zip that allows remote attackers to execute arbitrary code on affected installations. The vulnerability exists within the handling of symbolic links in ZIP files, where crafted data can cause the process to traverse to unintended directories. User interaction is required to exploit this vulnerability, though attack vectors may vary depending on the implementation. An attacker can leverage this flaw to execute code in the context of a service account.
Critical Impact
This directory traversal vulnerability enables attackers to write files outside of intended directories by exploiting improper handling of symbolic links in ZIP archives, potentially leading to arbitrary code execution on Windows systems.
Affected Products
- 7-Zip version 24.09
- Microsoft Windows (x64)
- Systems running 7-Zip with ZIP file extraction capabilities
Discovery Timeline
- 2025-11-19 - CVE-2025-11001 published to NVD
- 2025-11-24 - Last updated in NVD database
Technical Details for CVE-2025-11001
Vulnerability Analysis
This vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory - 'Path Traversal'). The flaw resides in how 7-Zip processes symbolic links contained within ZIP archive files. When extracting archives containing specially crafted symbolic link entries, the application fails to properly validate or sanitize the target paths, allowing an attacker to write files to arbitrary locations on the filesystem outside the intended extraction directory.
The attack requires local access and user interaction—specifically, a victim must open or extract a malicious ZIP file using a vulnerable version of 7-Zip. Once triggered, the vulnerability allows the attacker to escape the extraction directory and place malicious files in sensitive system locations, which can then be leveraged for code execution.
Root Cause
The root cause lies in insufficient path validation during the extraction of ZIP files containing symbolic links. When 7-Zip encounters a symlink entry within an archive, it processes the link target without adequately checking whether the resolved path remains within the designated extraction directory. This allows specially crafted archives to include symlinks pointing to parent directories (e.g., using ../ sequences) or absolute paths, effectively bypassing directory containment.
Attack Vector
The attack requires a threat actor to craft a malicious ZIP archive containing symbolic link entries that reference paths outside the intended extraction directory. The attack flow typically involves:
- An attacker creates a ZIP file containing a symbolic link pointing to a sensitive directory (such as system startup folders or user profile locations)
- The archive may also contain malicious executable files or scripts
- The victim downloads and extracts the archive using 7-Zip version 24.09 or earlier vulnerable versions
- During extraction, the symbolic link is created first, followed by files that traverse through the symlink to write to arbitrary filesystem locations
- The attacker achieves code execution when the victim or system executes the maliciously placed files
The vulnerability is documented in Zero Day Initiative Advisory ZDI-25-949 (originally tracked as ZDI-CAN-26753).
Detection Methods for CVE-2025-11001
Indicators of Compromise
- Unexpected files appearing in system directories or startup folders after extracting ZIP archives
- Symbolic links in temporary extraction directories pointing to sensitive system paths
- New executables or scripts in user profile startup locations (e.g., %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup)
- Evidence of ZIP file extraction followed by anomalous process execution from non-standard locations
Detection Strategies
- Monitor for ZIP archive extraction operations that result in file writes outside the designated extraction directory
- Implement file integrity monitoring on critical system directories to detect unauthorized file creation
- Deploy endpoint detection rules that correlate 7-Zip process activity with suspicious file system operations
- Analyze ZIP files for suspicious symbolic link entries before extraction using archive inspection tools
Monitoring Recommendations
- Enable logging for 7-Zip operations and monitor for extraction activities that write to system-protected directories
- Configure SentinelOne endpoint protection to monitor for directory traversal patterns in archive extraction workflows
- Implement behavioral detection for newly created executables in startup folders that correlate with recent archive extraction events
- Review security information and event management (SIEM) logs for patterns indicating exploitation attempts
How to Mitigate CVE-2025-11001
Immediate Actions Required
- Update 7-Zip to the latest available version that addresses this vulnerability
- Audit systems running 7-Zip version 24.09 and earlier for potential compromise indicators
- Implement application whitelisting to prevent unauthorized executables from running in sensitive directories
- Educate users about the risks of extracting archives from untrusted sources
Patch Information
Organizations should monitor the official 7-Zip website and distribution channels for security updates addressing this vulnerability. Review the Zero Day Initiative Advisory ZDI-25-949 for additional technical details and remediation guidance. Until a patch is available, consider implementing the workarounds below to reduce exposure.
Workarounds
- Configure 7-Zip or use alternative archive tools that provide symbolic link handling restrictions during extraction
- Extract archives only to isolated or sandboxed directories with restricted permissions
- Use archive inspection tools to scan ZIP files for malicious symbolic link entries before extraction
- Consider using container-based or virtualized environments when handling archives from untrusted sources
# Example: Restrict extraction to a specific directory with limited permissions
# Create an isolated extraction directory
mkdir -p C:\ExtractSandbox
icacls C:\ExtractSandbox /inheritance:r
icacls C:\ExtractSandbox /grant:r "%USERNAME%:(OI)(CI)M"
# Extract archives only to this restricted location
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
