A proof-of-concept exploit for two critical vulnerabilities in the popular file archiver 7-Zip, potentially allowing attackers to execute arbitrary code remotely through malicious ZIP files.
The flaws, tracked as CVE-2025-11001 and CVE-2025-11002, were disclosed by the Zero Day Initiative (ZDI) on October 7, 2025, and stem from improper handling of symbolic links during ZIP extraction on Windows systems.
Both carry a CVSS v3.0 score of 7.0, highlighting their potential for serious impact despite initial perceptions of lower risk.
These issues affect 7-Zip versions from 21.02 up to 24.09, where flaws in the symlink conversion process enable path traversal attacks. Discovered by Ryota Shiga of GMO Flatt Security Inc., the vulnerabilities exploit how 7-Zip processes Linux-style symlinks, converting them to Windows equivalents without adequate safeguards.
In a detailed analysis shared by security expert pacbypass, the bugs arise in the ArchiveExtractCallback.cpp module, particularly in functions like IsSafePath and CLinkLevelsInfo::Parse.
Unpacking the Symlink Flaws
The core problem lies in 7-Zip’s extraction logic, which fails to properly validate symlink targets. When extracting a ZIP containing a Linux symlink pointing to a Windows absolute path like C:\Users, the software misclassifies it as relative due to a flawed absolute path check tailored for Linux or WSL environments.
This bypasses safety checks in IsSafePath, allowing the symlink to resolve outside the extraction directory.
Further, during symlink creation in SetFromLinkPath, 7-Zip prepends the extraction folder path to the target, crafting a seemingly safe relative path that evades validation.
A subsequent check in CloseReparseAndFile skips directory-specific scrutiny for non-directories, enabling the symlink to point arbitrarily. Patches in version 25.00 introduce a new IsSafePath overload with an isWSL flag and refined parsing to detect absolute paths correctly, closing these gaps.
The analysis draws from diffs between versions 24.09 and 25.00 on GitHub, revealing a rework of symlink support. While one CVE likely targets direct path traversal, the other involves UNC path symlinks, amplifying risks in networked scenarios.
Exploiting these flaws requires crafting a ZIP where a symlink extracts first, redirecting subsequent files to sensitive locations like the Desktop or system directories.
For instance, a malicious archive could create a symlink named “link” pointing to C:\Users$$Username]\Desktop, followed by a payload like calc.exe. Upon extraction, 7-Zip follows the link, writing the executable to the target, potentially leading to code execution if the user runs it.
The PoC, available on pacbypass’s GitHub repository, demonstrates this by unpacking a directory structure that dereferences the symlink, enabling arbitrary file writes.
However, exploitation demands elevated privileges, developer mode, or an elevated service context, limiting it to targeted attacks rather than broad phishing. It works solely on Windows, ignoring Linux or macOS.
Mitigations
Users should update to 7-Zip 25.00 immediately, as it addresses these issues comprehensively. Disabling symlink support during extraction or scanning archives with antivirus tools can reduce exposure. These vulnerabilities underscore ongoing risks in archive handlers, echoing past 7-Zip flaws like directory traversals.
With the PoC public, attackers may weaponize these for initial access in phishing campaigns. Organizations relying on 7-Zip for bulk extractions should audit workflows and monitor for anomalous file writes.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post PoC Exploit Released for 7-Zip Vulnerabilities that Let Attackers Execute Arbitrary Code Remotely appeared first on Cyber Security News.
%20Connections.webp?w=0&resize=0,0&ssl=1 "Microsoft Windows 11 October Update Disrupts Localhost (127.0.0.1) Connectivity")
