7-Zip Symbolic-Link Vulnerability Allows Arbitrary Code Execution on Windows (CVE-2025-11001)
November 24th, 2025
High
Our Cyber Threat Intelligence Unit is monitoring a high-severity remote code execution vulnerability, CVE-2025-11001, affecting the open-source file archiver 7-Zip. It stems from improper handling of symbolic link entries within ZIP archives, allowing specially crafted archives to escape the intended extraction directory and write files to arbitrary locations on the Windows filesystem. Under certain conditions, especially when 7-Zip is run by an elevated user, service account, or automated process, this can result in arbitrary code execution. The issue was introduced in 7-Zip 21.02 and impacts all Windows versions prior to 25.00; patches have been released in 7-Zip 25.00, with security hardening improvements available in 25.01 and later versions. Given the combination of public PoC code, attacker interest, and widespread use in automated workflows, this vulnerability poses significant risks to organizations.
Technical Details
Attack Type: Arbitrary Code Execution via ZIP Directory Traversal / Symbolic-Link Abuse.
Vulnerability Type: Improper handling of symbolic links during ZIP extraction.
Severity: High (CVSS 7.0)
CVE ID: CVE-2025-11001
Component Affected: 7-Zip for Windows.
Affected Versions: 7-Zip 21.02 through all builds prior to 25.00 (Windows).
Updated builds 25.01+ are recommended.
Platform Impacted: Windows only (per PoC and vendor confirmations).
Exploit Prerequisites:
7-Zip executed under an elevated, administrator, or service-account context or Windows Developer Mode enabled.
User or automated process extracts the malicious ZIP archive.
Attack Chain Overview:
Attacker crafts a ZIP archive containing symlink entries pointing outside the expected extraction directory.
Victim (user, service account, or automated task) extracts the archive using 7-Zip < 25.00 on Windows.
7-Zip follows the symbolic link, writing attacker-controlled files to arbitrary host paths.
A malicious file is placed and executed under an elevated or service account context, performing the extraction.
The attacker gains code execution, which can lead to persistence, data access, or lateral movement.
Impact
Arbitrary code execution under the privileges of the invoking user, commonly through a service account or elevated context.
Unauthorized file writes, modification of sensitive directories, or tampering with system and application configurations.
Compromise of automated workflows, including backup processes, scheduled tasks, and shared-drive ingestion pipelines.
Potential lateral movement if attackers gain a foothold through privileged service accounts.
Operational disruption, data loss, and increased incident-response requirements.
Reputational damage and possible regulatory exposure if code execution leads to data compromise.
Detection Method
Security teams should monitor for:
Extraction of ZIP archives containing symbolic links, particularly those resolving outside expected directories
File creation events triggered by 7z.exe in paths not associated with the extraction target.
Process execution launched directly or indirectly by 7z.exe following ZIP extraction.
Presence of outdated 7-Zip builds (pre-25.00) on Windows hosts.
Service account activity anomalies, including unusual file writes, process launches, or scheduled task behavior.
Archive extraction originating from untrusted ZIP files, especially those delivered via email, shared storage, or automated ingestion points.
Indicators of Compromise
There are No Indicators of Compromise (IOCs) for this Advisory.
Recommendations
Upgrade immediately to 7-Zip 25.01 or later across all Windows endpoints and remove deprecated or unmanaged installations.
For automated workflows, consider disabling 7-Zip or enforcing strict application allowlisting and extraction-folder sandboxing to prevent path escapes.
Restrict archive extraction under privileged or service accounts and reevaluate any workflows that ingest untrusted ZIP files.
Implement hardened directory-permission controls to block unauthorized writes outside approved locations.
Strengthen monitoring around ZIP ingestion systems and alert on symbolic-link ZIP entries.
Educate users on avoiding untrusted or unexpected ZIP attachments, especially those delivered via email, cloud storage links, or collaboration platforms.
Conclusion
CVE-2025-11001 poses a significant risk to Windows environments because it weaponizes trusted ZIP extraction workflows to execute code beyond intended directory boundaries. With public exploit code available and heightened attacker interest, we urge organizations to adopt a proactive stance: patch rapidly, harden automated extraction pipelines, and enhance monitoring around file-based ingestion systems. Seemingly routine archive-handling operations can quickly become a vector for high-impact compromise when left unaddressed.