Risk actors are exploiting a not too long ago patched 7-Zip vulnerability that results in distant code execution (RCE), NHS England warns.
The bug, tracked as CVE-2025-11001 (CVSS rating of seven.0), is described as a file parsing listing traversal subject, and requires person interplay for profitable exploitation.
The flaw impacts 7-Zip’s dealing with of symbolic hyperlinks in ZIP recordsdata, as crafted knowledge could possibly be used to traverse to unintended directories throughout processing.
“An attacker can leverage this vulnerability to execute code within the context of a service account,” a Development Micro Zero Day Initiative (ZDI) advisory reads. In accordance with ZDI, assault vectors depend upon implementation.
Ryota Shiga of GMO Flatt Safety was credited for locating this safety defect and an an identical vulnerability tracked as CVE-2025-11002.
Each points had been reported to 7-Zip’s builders in Could and had been patched in 7-Zip model 25.00, which was launched in July.
Now, NHS England, the Nationwide Well being Service’s key governing physique in England, warns that menace actors are concentrating on susceptible 7-Zip installations within the wild.
“Energetic exploitation of CVE-2025-11001 has been noticed within the wild,” the company’s advisory reads, declaring {that a} proof-of-concept (PoC) exploit concentrating on the bug is on the market.Commercial. Scroll to proceed studying.
“The PoC permits attackers to abuse symbolic-link dealing with to write down recordsdata outdoors of the supposed extraction folder, which in some eventualities, can allow arbitrary code execution,” NHS England notes.
In accordance with safety engineer Dominik C., the exploited vulnerability impacts the way in which 7-Zip variations 21.02 to 24.09 convert symbolic hyperlinks from Linux to Home windows, and might solely be exploited on Home windows programs.
As a result of the parser marks Linux symbolic hyperlinks with Home windows-style C: paths as relative however units the hyperlink path to the total C: path, the problem will be exploited to bypass a verify that forestalls creating hyperlinks to absolute paths, the safety engineer explains.
This enables an attacker to craft a symbolic hyperlink resulting in writing a malicious binary in a listing of their selecting, however provided that 7-Zip runs with administrative privileges.
“It is because the 7-Zip course of creates a symlink, which is a privileged operation on Home windows. Therefore the exploitation solely is sensible when 7-Zip is utilized by a service account,” the engineer notes.
Associated: Two-12 months-Previous Ray AI Framework Flaw Exploited in Ongoing Marketing campaign
Associated: Fortinet Discloses Second Exploited FortiWeb Zero-Day in a Week
Associated: Russian Hackers Exploited 7-Zip Zero-Day Towards Ukraine
Associated: Chrome 142 Replace Patches Exploited Zero-Day
