7-Zip

A critical security flaw (CVE-2025-11001, CVSS 7.0) in 7-Zip is being actively exploited in the wild, allowing remote attackers to execute arbitrary code via malicious ZIP files. The vulnerability stems from improper handling of symbolic links, enabling directory traversal attacks. While exploitation requires elevated privileges (e.g., service accounts or Windows Developer Mode), proof-of-concept (PoC) exploits are publicly available, increasing risk. The flaw, patched in 7-Zip 25.00 (July 2025), affects versions since 21.02. Though no specific attack details (actor, method, or scale) have been disclosed, the UK’s NHS England Digital issued an advisory urging immediate updates. Failure to patch could lead to unauthorized system access, data breaches, or lateral movement within networks. The vulnerability’s active exploitation heightens urgency, particularly for organizations relying on 7-Zip for file compression/decompression, as attackers could weaponize it for broader campaigns (e.g., malware delivery, ransomware pre-staging).

Source: https://thehackernews.com/2025/11/hackers-actively-exploiting-7-zip.html

Zip cybersecurity rating report: https://www.rankiteo.com/company/theziphq

"id": "THE5202052112025",
"linkid": "theziphq",
"type": "Vulnerability",
"date": "7/2025",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"

{'affected_entities': [{'location': 'Global',
                        'name': '7-Zip Users',
                        'type': 'Software Users'},
                       {'industry': 'Healthcare',
                        'location': 'United Kingdom',
                        'name': 'UK NHS England Digital',
                        'type': 'Government Health Service'}],
 'attack_vector': ['Malicious ZIP File', 'Symbolic Link Manipulation'],
 'customer_advisories': ['Public advisory to update 7-Zip'],
 'date_resolved': '2025-07',
 'description': 'A recently disclosed security flaw (CVE-2025-11001, CVSS '
                'score: 7.0) in 7-Zip is under active exploitation in the '
                'wild. The vulnerability allows remote attackers to execute '
                'arbitrary code via crafted symbolic links in ZIP files, '
                'leading to directory traversal. It was patched in 7-Zip '
                'version 25.00 (July 2025). Proof-of-concept (PoC) exploits '
                'exist, and exploitation is limited to elevated user/service '
                'accounts or Windows machines in developer mode. A related '
                'flaw, CVE-2025-11002 (CVSS score: 7.0), was also addressed in '
                'the same update.',
 'impact': {'systems_affected': ['Windows systems with 7-Zip versions < 25.00',
                                 'Machines with elevated user/service accounts',
                                 'Machines in developer mode']},
 'initial_access_broker': {'entry_point': ['Malicious ZIP file with crafted '
                                           'symbolic links']},
 'investigation_status': 'Ongoing (active exploitation observed; weaponization '
                         'details unknown)',
 'post_incident_analysis': {'corrective_actions': ['Patch release (7-Zip '
                                                   '25.00)',
                                                   'Public disclosure and '
                                                   'advisory'],
                            'root_causes': ['Improper handling of symbolic '
                                            'links in ZIP archives (introduced '
                                            'in 7-Zip 21.02)',
                                            'Directory traversal vulnerability '
                                            'enabling arbitrary code '
                                            'execution']},
 'recommendations': ['Update 7-Zip to version 25.00 or later immediately.',
                     'Restrict elevated user/service account privileges where '
                     'possible.',
                     'Disable developer mode on Windows systems if not '
                     'required.',
                     'Monitor for suspicious ZIP file activity or directory '
                     'traversal attempts.'],
 'references': [{'source': 'UK NHS England Digital Advisory'},
                {'source': "Trend Micro's Zero Day Initiative (ZDI) Alert"},
                {'source': 'Security Researcher Dominik (aka pacbypass) PoC'}],
 'regulatory_compliance': {'regulatory_notifications': ['NHS England Digital '
                                                        'advisory']},
 'response': {'communication_strategy': ['Public advisory by NHS England '
                                         'Digital',
                                         'Security researcher disclosures '
                                         '(e.g., Dominik aka pacbypass)'],
              'containment_measures': ['Patch deployment (7-Zip 25.00)'],
              'remediation_measures': ['Apply software updates',
                                       'Monitor for exploitation attempts'],
              'third_party_assistance': ["Trend Micro's Zero Day Initiative "
                                         '(ZDI)',
                                         'GMO Flatt Security Inc.']},
 'stakeholder_advisories': ['NHS England Digital'],
 'title': 'Active Exploitation of 7-Zip CVE-2025-11001 Vulnerability',
 'type': ['Vulnerability Exploitation',
          'Remote Code Execution (RCE)',
          'Directory Traversal'],
 'vulnerability_exploited': ['CVE-2025-11001', 'CVE-2025-11002']}

7-Zip

7-Zip and WinRAR: Zombie ZIP vulnerability lets compressed malware leisurely stroll past 95% of antivirus apps — security suites are blissfully unaware of security issue

Debian and Ubuntu: OpenSSH GSSAPI Vulnerability Allow an Attacker to Crash SSH Child Processes

Ally: High-severity WordPress plugin flaw poses data compromise risk