Latest Job Opportunities in India
Discover top job listings and career opportunities across India. Stay updated with the latest openings in IT, government, and more.
Check Out Jobs!Read More
Vulnerabilities in 7-Zip allow attackers to run any code remotely –
Post views: 12
The well-known open source file archiving software 7-Zip has been found to contain two high-risk flaws that could allow remote attackers to run arbitrary code.
The vulnerabilities, identified as CVE-2025-11001 and CVE-2025-11002, affect all software versions before the latest release and need to be patched immediately.
Error processing symbolic link
The way 7-Zip manages symbolic links embedded in ZIP archives is at the core of both vulnerabilities. The alert states that a threat actor could leverage this vulnerability by creating a malicious ZIP file with tampered contents.
Directory traversal can be performed by handling the faulty operation when a user with a vulnerable version of 7-Zip attempts to unzip the archive.
As a result, files outside the specified destination folder may be written during the extraction process, which may introduce dangerous payloads into sensitive system areas.
Although the infected file is delivered remotely to initiate the attack, the victim must choose to open the archive, necessitating user connection for exploitation. Depending on how 7-Zip is used in different contexts, the exact attack vectors may change.
With a score of 7.0 in CVSS 3.0, both CVE-2025-11001 and CVE-2025-11002 are classified as high severity risks.
An attacker can leverage the privileges of a service account or user running the 7-Zip application to execute arbitrary code on the compromised device if the exploit is successful.
This could lead to data theft, a complete system breach, or the spread of other software, such as ransomware.
Given the extensive use of 7-Zip, the potential impact on confidentiality, integrity, and availability remains significant, although the vulnerabilities are not classified as critical due to the high complexity of the attack and the need for user intervention.
| Countering Violent Extremism ID | Affected product | They are weak | CVSS score 3.0 |
| CVE-2025-11002 | 7-Zip (versions before 25.00) | Execute arbitrary code via symbolic link processing | 7.0 (High) |
| CVE-2025-11001 | 7-Zip (versions before 25.00) | Execute arbitrary code via symbolic link processing | 7.0 (High) |
Version 25.00, which addresses these vulnerabilities, has been released by the developer of 7-Zip. It is highly recommended that all users update their installations immediately to protect against potential exploitation.
Following a responsible disclosure timeline, the vulnerabilities were first brought to the vendor’s attention on May 2, 2025.
On October 7, 2025, a concurrent public advisory was subsequently issued to educate the public about the risks and available correction. Working with Takumi-san.ai, security researcher Ryota Shiga of GMO Flatt Security Inc. discovered These security vulnerabilities.
About the author:
Yogesh Nagar He is a content marketer specializing in the cybersecurity and B2B space. Besides writing for News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.
Read more:
The latest ClayRat spyware attacks Android users via fake WhatsApp and TikTok apps
About the author
