7‑Zip < 25.00 Directory Traversal (CVE‑2025‑11001) Enables Remote Code Execution on Windows
What Happened — A directory‑traversal flaw (CVE‑2025‑11001) in 7‑Zip versions prior to 25.00 allows a crafted ZIP archive to write files outside the intended extraction folder. When the archive is extracted with administrative privileges, the attacker can drop a malicious payload and achieve full system compromise. Public exploit code is available and active exploitation has been reported.
Why It Matters for TPRM —
- 7‑Zip is widely bundled by MSPs, SaaS platforms, and internal IT teams for automated file handling, creating a common attack surface across third‑party ecosystems.
- Successful exploitation grants attackers a foothold on a vendor’s workstation, enabling lateral movement into customer environments and potential supply‑chain compromise.
- The vulnerability carries a CVSS 8.8 (High) rating, making it a priority for remediation in any risk‑based vendor assessment.
Who Is Affected — Organizations that deploy 7‑Zip < 25.00 on Windows workstations or servers, especially MSPs, cloud‑hosting providers, and any vendor that uses the utility for automated archive processing.
Recommended Actions —
- Inventory all assets running 7‑Zip and verify the version.
- Upgrade immediately to 7‑Zip 25.00 or later.
- Enforce least‑privilege extraction policies; avoid running 7‑Zip as Administrator.
- Monitor for unexpected
.lnkfiles or writes to system directories after archive extraction. - Review third‑party contracts for software‑component security clauses and require timely patching.
Technical Notes — CVE‑2025‑11001, CVSS 8.8 (High). Exploit uses a malicious symlink entry (evil.lnk) with a ../../../../ traversal payload to write arbitrary files, leading to RCE on Windows 10/11. Patch released in 7‑Zip 25.00 (see official history). Source: https://www.exploit-db.com/exploits/52501