Executive Summary

A critical remote code execution (RCE) vulnerability, CVE-2025-11001, in the widely-used 7-Zip file archiving utility is now under active exploitation. The vulnerability, first disclosed in October 2025, has a CVSS score of 7.0 and affects all versions of 7-Zip prior to 25.0.0. The flaw is a path traversal weakness that allows an attacker to execute arbitrary code by tricking a user into extracting a malicious ZIP archive. Due to the ubiquity of 7-Zip in both personal and enterprise environments, the potential for widespread compromise is significant. NHS England Digital has confirmed active exploitation and issued an advisory on November 18, 2025, urging immediate patching.

Vulnerability Details

CVE-2025-11001 is a path traversal (also known as "Zip Slip") vulnerability. It stems from the improper handling of symbolic links within a ZIP archive. An attacker can create a malicious archive containing a symbolic link that points to a location outside of the intended extraction directory (e.g., ../../../../../../windows/system32/). When a vulnerable version of 7-Zip extracts this archive, it follows the symbolic link and writes a subsequent file (e.g., a malicious DLL or executable) to that sensitive system location. This can lead to arbitrary code execution with the privileges of the user running 7-Zip.

A related flaw, CVE-2025-11002, which shares the same root cause, is also fixed in the patched version.

Affected Systems

• 7-Zip: All versions prior to 25.0.0.

Exploitation Status

• Active Exploitation: Confirmed in the wild. Attacks have been observed targeting the healthcare and finance sectors.
• Attack Vector: Social engineering. Attackers trick users into downloading and extracting a malicious ZIP file, often delivered via phishing emails.

Impact Assessment

Successful exploitation of CVE-2025-11001 allows an attacker to achieve remote code execution on the victim's machine. This can be a stepping stone for a more comprehensive attack, including:

• Ransomware Deployment: The attacker can drop and execute a ransomware payload.
• Credential Theft: A malicious payload can be used to steal passwords, session cookies, and other sensitive data.
• Persistent Access: The attacker can plant a backdoor or RAT (Remote Access Trojan) for long-term access to the compromised system and network.

Because 7-Zip is often used in automated processes on servers, the vulnerability could also be triggered without direct user interaction if a server-side application automatically extracts untrusted archives. In this scenario, the code would execute with the privileges of the server's service account, which could be highly privileged.

Cyber Observables for Detection

• File Name: Look for the extraction of ZIP files from untrusted sources, such as email attachments.
• Process Name: Monitor for the 7z.exe or 7zG.exe process writing files to unexpected locations outside of the user's intended extraction folder (e.g., C:\Windows, C:\Program Files).
• Log Source: EDR logs, File Integrity Monitoring (FIM) logs, and antivirus logs.

Detection Methods

1. Endpoint Detection and Response (EDR): Configure EDR rules to alert when the 7-Zip process writes files to sensitive system directories. This is a high-fidelity indicator of exploitation.
2. Asset Inventory: Use system management tools or asset inventory scanners to identify all systems with vulnerable versions of 7-Zip installed (< 25.0.0).
3. Email Security Gateway: Filter and block emails containing suspicious ZIP attachments, especially from unknown senders.

Remediation Steps

1. Update Immediately: The primary remediation is to update all installations of 7-Zip to version 25.0.0 or later. This should be treated as a high-priority patch. See M1051 - Update Software.
2. Automate Patching: This incident highlights the risk of manually-patched software. Organizations should use automated patch management systems to ensure that common utilities like 7-Zip are kept up-to-date across the entire enterprise.
3. User Training: Remind users not to open or extract attachments from untrusted or unsolicited emails. See M1017 - User Training.
4. Restrict Execution: As a compensating control, consider using application control policies (e.g., AppLocker) to prevent users from running unapproved software, although this may be difficult to implement for a common utility like 7-Zip.