A new warning has surfaced around a serious 7-Zip vulnerability, and security teams are already seeing attackers take advantage of it. The flaw, now tracked as CVE-2025-11001, was recently patched, yet many systems remain exposed. NHS England says it has detected active exploitation in the wild, which means anyone running outdated versions of 7-Zip faces real risk.
The vulnerability stems from how 7-Zip processes symbolic links inside ZIP files. When a malicious archive is crafted in a certain way, it can trick 7-Zip into stepping outside its intended directories during extraction. That simple misstep opens the door to remote code execution, but it only works if the user interacts with the file.
Trend Micro’s Zero Day Initiative explains that an attacker can use this flaw to execute code under a service account, depending on how 7-Zip is deployed. Security researcher Ryota Shiga first uncovered the issue, along with a twin vulnerability labelled CVE-2025-11002. Both bugs were reported earlier this year and patched in version 25.00, which shipped in July.
The trouble is that once a proof-of-concept exploit leaked online, threat actors moved quickly. NHS England warns that attackers are using this PoC to abuse symbolic-link handling and force 7-Zip to write files outside the extraction folder. In the right conditions, this leads to arbitrary code execution.
Security engineer Dominik C. dug deeper into how the flaw works. The root cause lies in how 7-Zip versions 21.02 through 24.09 convert Linux symbolic links into Windows paths. The parser treats Linux links that include full Windows-style C:\ paths as if they were relative, but then assigns them a full absolute path. This bypasses a safeguard meant to block dangerous absolute paths.
Because of this oversight, an attacker can craft a symbolic link that forces 7-Zip to drop a malicious file anywhere they choose. But there’s a catch. The exploit only succeeds if 7-Zip runs with elevated privileges. On Windows, creating a symlink is a privileged action, so the attack only becomes meaningful when 7-Zip operates under a service account or with admin-level rights.
This detail explains why NHS England is urging organisations to patch immediately. Many enterprise systems still rely on automated workflows that run 7-Zip with higher privileges than a normal user. In these setups, a single malicious ZIP file could hand an attacker control over the machine.
The latest version of 7-Zip closes the hole, but the presence of active exploitation makes updating urgent. Since the attack relies on user interaction, teaching teams to avoid untrusted archives adds another layer of protection. Yet the most effective defence is simple: install version 25.00 or later and ensure no privileged processes are still running older builds.
With attackers now targeting this 7-Zip vulnerability, the window for delayed patching has closed. Organisations running older versions on Windows should treat this as a priority, as the exploit chain is already well understood and freely available.
