Imagine a hacker remotely seizing control of your computer through a seemingly innocent ZIP file. Sounds like a movie plot, right? But it's happening right now! Security experts are sounding the alarm about a critical vulnerability in 7-Zip, a widely used file archiving tool. The vulnerability, identified as CVE-2025-11001, allows attackers to remotely execute malicious code on vulnerable systems.
According to a recent advisory from U.K. NHS England Digital, this flaw is actively being exploited in the wild. This means hackers aren't just theorizing about how to use this vulnerability; they're actively using it to attack systems.
The root cause lies in how 7-Zip handles symbolic links within ZIP files. Think of symbolic links as shortcuts on your computer. A cleverly crafted ZIP file can trick 7-Zip into following these shortcuts to unintended directories, ultimately allowing the attacker to run their own malicious code. Trend Micro's Zero Day Initiative (ZDI) highlighted that an attacker could exploit this to execute code within the context of a service account, potentially gaining significant control over the affected system.
This vulnerability was discovered and reported by Ryota Shiga of GMO Flatt Security Inc., with assistance from their AI-powered AppSec Auditor, Takumi. This shows how both human expertise and AI are increasingly crucial in identifying and mitigating security threats.
It's important to note that 7-Zip version 25.00, released in July 2025, addresses this vulnerability. 7-Zip 25.00 also patched another related RCE flaw, CVE-2025-11002, which similarly involves improper handling of symbolic links in ZIP archives, leading to directory traversal. Both vulnerabilities were introduced in version 21.02. So, if you're running an older version, you're definitely at risk.
While NHS England Digital has confirmed active exploitation of CVE-2025-11001, details about the specific attack methods, the attackers involved, and the targets remain scarce. But here's where it gets controversial... Some security experts believe the lack of detailed information might be intentional, to avoid giving attackers a blueprint. What do you think? Is it better to share information openly, or keep some details secret to make it harder for malicious actors?
Given the existence of proof-of-concept (PoC) exploits (available on platforms like GitHub), the urgency to update 7-Zip is paramount. Security researcher Dominik (aka pacbypass), who released the PoC, emphasized that this vulnerability is specific to Windows systems and can only be exploited from the context of an elevated user/service account or a machine with developer mode enabled. And this is the part most people miss... While that sounds limiting, many systems are configured in ways that make them vulnerable.
Crucially, this means if you're running 7-Zip on Windows with elevated privileges, you're a prime target. Even if you think your system is secure, it's always better to err on the side of caution.
So, what should you do? The answer is simple: update to 7-Zip version 25.00 immediately. It's a small effort that can save you from a major headache.
What are your thoughts on this vulnerability? Do you think the severity is being accurately portrayed? Have you already updated your systems? Share your opinions and experiences in the comments below!
