Two high-severity security flaws have been discovered in the popular open-source file archiver 7-Zip. These vulnerabilities allow remote attackers to execute code on a victim’s computer. These vulnerabilities are tracked as CVE-2025-11001 and CVE-2025-11002, affecting all 7-Zip versions released before version 25.00.
If you use 7-Zip, you should update to the latest version immediately to stay protected.
The issue lies in how 7-Zip processes symbolic links inside ZIP archives. A symbolic link is a type of shortcut that points to another file or directory. Attackers can exploit this by creating a malicious ZIP file that contains specially crafted data.
Read: Error 0x8096002A: How to Fix this error on Windows
When a user with a vulnerable version of 7-Zip tries to extract this file, the program can be tricked into performing a directory traversal. So, attackers could plant harmful files in sensitive system locations.
While this attack starts remotely, it still needs user interaction. The victim has to open and extract the file for the attack to work. Depending on how 7-Zip is used in different systems, the attack could lead to arbitrary code execution. It lets hackers run commands on the device with the same permissions as the user. If successfully exploited, these vulnerabilities could give attackers the ability to take full control of the system, steal data, or even install additional malware or ransomware.
Also Read: How to Repair Broken or Corrupted Zip Files
Both flaws have been given a CVSS 3.0 score of 7.0, which marks them as high severity. They are not classified as critical because the attack requires some user action.
