A proof-of-concept exploit for 2 important vulnerabilities within the standard file archiver 7-Zip, doubtlessly permitting attackers to execute arbitrary code remotely by way of malicious ZIP information.
The issues, tracked as CVE-2025-11001 and CVE-2025-11002, have been disclosed by the Zero Day Initiative (ZDI) on October 7, 2025, and stem from improper dealing with of symbolic hyperlinks throughout ZIP extraction on Home windows programs.
Each carry a CVSS v3.0 rating of seven.0, highlighting their potential for critical affect regardless of preliminary perceptions of decrease danger.
These points have an effect on 7-Zip variations from 21.02 as much as 24.09, the place flaws within the symlink conversion course of allow path traversal assaults. Found by Ryota Shiga of GMO Flatt Safety Inc., the vulnerabilities exploit how 7-Zip processes Linux-style symlinks, changing them to Home windows equivalents with out enough safeguards.
In an in depth evaluation shared by safety knowledgeable pacbypass, the bugs come up within the ArchiveExtractCallback.cpp module, notably in features like IsSafePath and CLinkLevelsInfo::Parse.
Unpacking the Symlink Flaws
The core drawback lies in 7-Zip’s extraction logic, which fails to correctly validate symlink targets. When extracting a ZIP containing a Linux symlink pointing to a Home windows absolute path like C:Customers, the software program misclassifies it as relative as a result of a flawed absolute path test tailor-made for Linux or WSL environments.
This bypasses security checks in IsSafePath, permitting the symlink to resolve exterior the extraction listing.
Additional, throughout symlink creation in SetFromLinkPath, 7-Zip prepends the extraction folder path to the goal, crafting a seemingly secure relative path that evades validation.
A subsequent test in CloseReparseAndFile skips directory-specific scrutiny for non-directories, enabling the symlink to level arbitrarily. Patches in model 25.00 introduce a brand new IsSafePath overload with an isWSL flag and refined parsing to detect absolute paths appropriately, closing these gaps.
The evaluation attracts from diffs between variations 24.09 and 25.00 on GitHub, revealing a rework of symlink assist. Whereas one CVE probably targets direct path traversal, the opposite includes UNC path symlinks, amplifying dangers in networked eventualities.
Exploiting these flaws requires crafting a ZIP the place a symlink extracts first, redirecting subsequent information to delicate areas just like the Desktop or system directories.
As an example, a malicious archive might create a symlink named “hyperlink” pointing to C:Customers$$Username]Desktop, adopted by a payload like calc.exe. Upon extraction, 7-Zip follows the hyperlink, writing the executable to the goal, doubtlessly resulting in code execution if the consumer runs it.
The PoC, out there on pacbypass’s GitHub repository, demonstrates this by unpacking a listing construction that dereferences the symlink, enabling arbitrary file writes.
Nevertheless, exploitation calls for elevated privileges, developer mode, or an elevated service context, limiting it to focused assaults reasonably than broad phishing. It really works solely on Home windows, ignoring Linux or macOS.
Mitigations
Customers ought to replace to 7-Zip 25.00 instantly, because it addresses these points comprehensively. Disabling symlink assist throughout extraction or scanning archives with antivirus instruments can cut back publicity. These vulnerabilities underscore ongoing dangers in archive handlers, echoing previous 7-Zip flaws like listing traversals.
With the PoC public, attackers might weaponize these for preliminary entry in phishing campaigns. Organizations counting on 7-Zip for bulk extractions ought to audit workflows and monitor for anomalous file writes.
Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.
