CVE-2025-11002 Overview
CVE-2025-11002 is a directory traversal vulnerability in 7-Zip that enables remote code execution through malicious ZIP file handling. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. While user interaction is required to exploit this vulnerability, attack vectors may vary depending on the implementation.
The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories, allowing an attacker to write files outside the intended extraction path. An attacker can leverage this vulnerability to execute code in the context of a service account.
Critical Impact
Successful exploitation allows attackers to achieve arbitrary code execution by abusing symbolic link handling in ZIP archives, potentially leading to full system compromise when extracting malicious archives.
Affected Products
- 7-Zip version 24.09
- 7-Zip installations processing untrusted ZIP archives
- Systems using 7-Zip for automated archive extraction workflows
Discovery Timeline
- 2026-01-23 - CVE-2025-11002 published to NVD
- 2026-02-26 - Last updated in NVD database
Technical Details for CVE-2025-11002
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as Path Traversal or Directory Traversal. The flaw resides in how 7-Zip processes symbolic links embedded within ZIP archives during extraction operations.
When a user extracts a crafted ZIP file containing malicious symbolic links, the application fails to properly validate the target paths of these symlinks. This allows an attacker to construct ZIP archives with symbolic links that point to directories outside the intended extraction location. Upon extraction, files can be written to arbitrary locations on the filesystem, bypassing the expected directory constraints.
The local attack vector requires user interaction—specifically, the victim must open and extract a malicious ZIP archive. However, this interaction requirement can be circumvented in enterprise environments where 7-Zip is used in automated extraction pipelines, email attachment processing, or content management systems.
Root Cause
The root cause is improper validation of symbolic link targets during ZIP file extraction. 7-Zip version 24.09 fails to adequately sanitize or restrict the destination paths of symbolic links contained within ZIP archives. When processing symlinks, the application does not verify that the resolved target path remains within the designated extraction directory, enabling directory traversal attacks.
This vulnerability follows a common pattern seen in archive utilities where symbolic link handling introduces path canonicalization issues. The absence of proper path normalization and boundary checks allows specially crafted symlinks to escape the extraction root directory.
Attack Vector
An attacker exploiting this vulnerability would craft a malicious ZIP archive containing symbolic links that reference parent directories (e.g., using ../ sequences or absolute paths). The attack scenario typically involves:
- Creating a ZIP archive with a symbolic link pointing to a sensitive system directory
- Including a payload file that, when extracted following the symlink, gets written to the attacker-controlled location
- Delivering the malicious archive to the victim via email, web download, or other distribution methods
- The victim extracts the archive using 7-Zip, causing files to be written outside the intended extraction directory
For example, an attacker could place a symlink targeting C:\Windows\System32 or /usr/local/bin, followed by a malicious executable. Upon extraction, the executable would be written to the system directory, potentially achieving code execution when the malicious file is subsequently invoked by the system or user. This attack was reported through the Zero Day Initiative as ZDI-CAN-26743.
Detection Methods for CVE-2025-11002
Indicators of Compromise
- Presence of unexpected files in system directories after ZIP extraction operations
- ZIP archives containing symbolic links with path traversal sequences (../) in link targets
- File system modifications outside designated extraction directories during 7-Zip operations
- Unusual symbolic link creation events in system logs associated with archive extraction
Detection Strategies
- Monitor file system events for writes to sensitive system directories originating from 7-Zip processes
- Implement archive content inspection to identify ZIP files containing symbolic links with suspicious target paths
- Deploy endpoint detection rules to alert on 7z.exe or 7zFM.exe processes creating files outside expected working directories
- Use YARA rules to scan incoming ZIP archives for embedded symbolic links with traversal patterns
Monitoring Recommendations
- Enable detailed file system auditing on critical system directories to detect unauthorized file writes
- Implement application whitelisting to prevent execution of newly created files in system directories
- Configure SentinelOne Singularity to monitor 7-Zip extraction activities for anomalous file system operations
- Review logs for 7-Zip extraction events, particularly those involving archives from external or untrusted sources
How to Mitigate CVE-2025-11002
Immediate Actions Required
- Update 7-Zip to the latest available version that addresses CVE-2025-11002
- Audit systems running 7-Zip version 24.09 and schedule immediate patching
- Implement content filtering to scan incoming ZIP archives for malicious symbolic links before extraction
- Restrict 7-Zip usage to trusted archives only until patching is complete
Patch Information
Organizations should update to the latest version of 7-Zip that addresses this vulnerability. Refer to the Zero Day Initiative Advisory ZDI-25-950 for detailed information on affected versions and patch availability.
SentinelOne Singularity Platform provides protection against exploitation attempts targeting this vulnerability through behavioral analysis and endpoint protection capabilities. The platform can detect and block malicious file writes resulting from directory traversal attacks during archive extraction.
Workarounds
- Avoid extracting ZIP archives from untrusted or unknown sources until patching is complete
- Use alternative archive utilities with known symbolic link protections for processing untrusted archives
- Implement application-level controls to disable symbolic link processing if supported by your 7-Zip configuration
- Deploy file system access controls to prevent 7-Zip from writing to sensitive system directories
If updating 7-Zip is not immediately possible, consider implementing archive pre-scanning workflows:
# Example: Pre-scan ZIP archives for suspicious symbolic links before extraction
# Check for symlinks in archive contents
7z l -slt archive.zip | grep -i "symbolic link"
# Alternative: Use dedicated archive scanning tools to inspect for path traversal patterns
# Verify archive contents before extraction in untrusted environments
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
