Active Exploitation of 7-Zip Vulnerability CVE-2025-11001

Hackers are actively exploiting a security flaw in 7-Zip, known as CVE-2025-11001, according to recent disclosures by U.K. NHS England Digital. This vulnerability, rated with a CVSS score of 7.0, allows remote attackers to execute arbitrary code by manipulating symbolic links within ZIP files.

The specific flaw allows crafted data in a ZIP file to cause the process to traverse to unintended directories, leading to potential code execution in the context of a service account. The vulnerability was discovered by Ryota Shiga of GMO Flatt Security Inc., alongside the AI-powered AppSec Auditor Takumi.

The report indicates that the vulnerability affects versions prior to 25.00, which was released in July 2025 and also addresses another flaw, CVE-2025-11002, which has a similar impact. Active exploitation of CVE-2025-11001 has been confirmed in the wild, although details regarding the attackers and the methods used remain unclear.

Security researcher Dominik, known as pacbypass, has released a proof-of-concept exploit, further highlighting the urgency for users to apply updates. It is important to note that this vulnerability can only be exploited from an elevated user or service account or on machines with developer mode enabled, specifically on Windows systems.

The situation underscores the critical need for organizations to prioritize patch management and timely vulnerability disclosures to mitigate the risk of exploitation. As the threat landscape evolves, staying vigilant against known vulnerabilities is paramount for cybersecurity defenses.

Immediate action is recommended for all 7-Zip users to ensure they have installed the latest version to protect against potential threats.