Two newly disclosed vulnerabilities in 7-Zip could allow attackers to execute arbitrary code by tricking users into opening a malicious ZIP archive. The issues, reported October 7 by Trend Micro’s Zero Day Initiative (ZDI), affect multiple builds of the popular open-source compression tool and were quietly fixed in July.
Tracked as CVE-2025-11001 and CVE-2025-11002, the flaws stem from how 7-Zip parses symbolic links within ZIP files. In essence, a crafted archive can escape its intended extraction directory and write files to other locations on the system. When chained, this can escalate to full code execution under the same privileges as the user, which is enough to compromise a Windows environment. Both vulnerabilities carry a CVSS base score of 7.0.
According to ZDI’s advisory, exploitation requires user interaction, but that bar is low; simply opening or extracting a malicious archive is sufficient. From there, the symlink traversal flaw can overwrite or plant payloads in sensitive paths, allowing the attacker to hijack execution flow. ZDI categorizes both bugs as directory traversal leading to remote code execution in a service account context.
Earlier this year, CVE-2025-0411 made headlines for allowing attackers to bypass Windows’ Mark-of-the-Web protections by nesting malicious ZIPs, effectively stripping downloaded files of their “from the internet” warning flags. That flaw was addressed in version 24.09.
Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.
