A significant security warning has been issued by NHS England regarding active exploitation of a recently patched flaw in the popular file archiver, 7-Zip. The vulnerability, tracked as CVE-2025-11001, carries a CVSS score of 7.0 and is categorized as a file parsing directory traversal issue that can lead to Remote Code Execution (RCE). This security defect specifically resides in how 7-Zip handles symbolic links embedded within ZIP archives. Threat actors can craft malicious data that, when processed by a vulnerable 7-Zip installation, allows them to traverse to unintended directories.
The core of the problem lies in the handling of symbolic links, particularly when converting them from a Linux format to a Windows environment, impacting 7-Zip versions 21.02 through 24.09 and exploitable only on Windows systems. The application incorrectly marks Linux symbolic links that use Windows-style C:\ paths as relative, while simultaneously setting the link’s path to the full C:\ path. This logical inconsistency enables an attacker to bypass a security check designed to prevent the creation of links to absolute paths on the system.
This bypass allows an attacker to construct a symbolic link designed to write a malicious binary file into a directory chosen by the threat actor. The severity of the exploit hinges on the privileges of the running 7-Zip process. Crucially, executing a full RCE attack requires administrative privileges because the creation of a symbolic link is considered a privileged operation on the Windows operating system. Therefore, the most practical and potent attack scenario is when 7-Zip is utilized by a service account, which often runs with elevated permissions.
Security advisories, including one from the Trend Micro Zero Day Initiative (ZDI), highlight that an attacker could leverage this flaw to execute code “in the context of a service account,” though the precise attack vectors may vary based on the specific system implementation. The warning from NHS England was prompted by the observation of active exploitation in the wild and the public availability of a Proof-of-Concept (PoC) exploit. This PoC demonstrates the ability to abuse symbolic-link handling to write files outside of the expected extraction folder, which is the mechanism that can ultimately enable arbitrary code execution.
Both CVE-2025-11001 and an identical vulnerability, CVE-2025-11002, were discovered and reported by Ryota Shiga of GMO Flatt Security. The developers of 7-Zip were notified of both issues in May, and the fixes were subsequently included in the release of 7-Zip version 25.00 in July. Organizations using vulnerable versions of 7-Zip are strongly urged to update immediately to version 25.00 or later to mitigate the risk of these actively exploited directory traversal and RCE flaws.
Reference:
