CVE-2025-11002 – A directory traversal vulnerability in 7-Zip's ... (How to Fix)

📋 TL;DR

A directory traversal vulnerability in 7-Zip's ZIP file parsing allows remote attackers to execute arbitrary code by crafting malicious ZIP archives containing symbolic links. This affects all systems running vulnerable versions of 7-Zip that process untrusted ZIP files. Attackers can exploit this to gain code execution with the privileges of the user or service running 7-Zip.

💻 Affected Systems

Products:

7-Zip

Versions: Versions prior to 24.08

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All installations that process ZIP files from untrusted sources are vulnerable. This includes both GUI and command-line versions.

📦 What is this software?

7 Zip by 7 Zip

View all CVEs affecting 7 Zip →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with system-level privileges leading to complete system compromise, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Arbitrary code execution with user-level privileges, potentially leading to data theft, ransomware deployment, or installation of persistent backdoors.

🟢

If Mitigated

Limited impact due to proper access controls, sandboxing, or network segmentation preventing lateral movement and privilege escalation.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction to open a malicious ZIP file, but no authentication is needed. The vulnerability is in file parsing logic, making reliable exploitation straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 24.08 and later

Vendor Advisory: https://www.7-zip.org/history.txt

Restart Required: No

Instructions:

1. Download 7-Zip version 24.08 or later from https://www.7-zip.org/download.html
2. Run the installer and follow the installation prompts
3. Replace existing 7-Zip installations with the updated version

🔧 Temporary Workarounds

Disable ZIP file processing

windows

Prevent 7-Zip from handling ZIP files by removing file associations

Windows: Use 'Default Programs' in Control Panel to change ZIP file associations to another application

Use application whitelisting

all

Restrict execution of 7-Zip to trusted directories only

Windows: Configure AppLocker or Windows Defender Application Control rules
Linux: Use SELinux/AppArmor policies

🧯 If You Can't Patch

Implement strict file upload controls to block ZIP files from untrusted sources
Run 7-Zip in a sandboxed environment with limited privileges and no network access

🔍 How to Verify

Check if Vulnerable:

Check 7-Zip version: if version is earlier than 24.08, the system is vulnerable

Check Version:

Windows: "7z" command or check Help > About in GUI
Linux: "7z" or check package manager

Verify Fix Applied:

Confirm 7-Zip version is 24.08 or later and test with known safe ZIP files

📡 Detection & Monitoring

Log Indicators:

Unusual process creation from 7-Zip executable
File system access to unexpected directories by 7-Zip process

Network Indicators:

Outbound connections from 7-Zip process to unknown IPs
Unusual network traffic patterns following ZIP file processing

SIEM Query:

Process creation where parent process contains '7z' and child process is suspicious (cmd.exe, powershell.exe, etc.)

📊 Metadata

CVE ID: CVE-2025-11002

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-22

EPSS Score: 0.28% exploit probability (51.1th percentile)

Published: January 23, 2026

Last Updated: February 26, 2026

🔗 References

https://www.zerodayinitiative.com/advisories/ZDI-25-950/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11002, you might also want to check these: