A recently revealed security flaw affecting 7-Zip is being exploited in the wild, according to an advisory issued by NHS England Digital on Tuesday.
The vulnerability in question is CVE-2025-11001 (CVSS score: 7.0), which could allow a remote attacker to execute arbitrary code. This issue was addressed in 7-Zip version 25.00, released in July 2025.
“A specific flaw exists in the handling of symbolic links within ZIP files. Specially crafted data within a ZIP file could allow a process to navigate to an unintended directory,” Trend Micro’s Zero-Day Initiative (ZDI) said in an alert released last month. “An attacker could exploit this vulnerability to execute code in the context of the service account.”
Ryota Shiga of GMO Flatt Security Inc. is credited with discovering and reporting the vulnerability, along with Takumi, the company’s artificial intelligence (AI)-powered AppSec auditor.
It is worth noting that 7-Zip 25.00 also resolves another flaw, CVE-2025-11002 (CVSS score: 7.0). This flaw could allow remote code execution by leveraging improper handling of symbolic links within a ZIP archive, resulting in directory traversal. Both drawbacks were introduced in version 21.02.
NHS England Digital said: “Active exploitation of CVE-2025-11001 has been observed in the wild.” However, details about how it is being weaponized, by whom, and in what circumstances are currently unknown.
Given the existence of proof-of-concept (PoC) exploits, it is important for 7-Zip users to act quickly to apply the required fixes as soon as possible, even if they have not already done so, for optimal protection.
“This vulnerability can only be exploited from the context of an elevated user/service account or a machine with developer mode enabled,” security researcher Dominik (aka pacbypass), who published the PoC, said in a post detailing the flaw. “This vulnerability can only be exploited on Windows.”
