CVE-2025-11001 and CVE-2025-11002 in 7-Zip Enable Remote Code Execution
Two 7-Zip vulnerabilities (CVE-2025-11001, CVE-2025-11002) allow directory traversal via symbolic links in ZIP archives, enabling overwrite of arbitrary files and potential code execution when paired with dependent services or scheduled tasks. Exploitation requires only that a user open or extract a crafted archive, making enterprise file-sharing and automated extraction pipelines high-risk. Version 25.00 introduces safe path canonicalization and blocks symlinks escaping extraction directories. Environments with automated processing must upgrade and disable auto-extract for untrusted sources.
CORTEX Protocol Intelligence Assessment
{"Business Impact":"Risk of arbitrary overwrite/RCE on endpoints and servers via routine archive handling.","Technical Context":"Improper symlink handling causing directory traversal; fixed in 7-Zip 25.00."}
Strategic Intelligence Guidance
- Upgrade to 7-Zip 25.00; disable auto-extraction for untrusted files.
- Monitor for traversal patterns in extraction logs; enforce sandboxing.
- Harden scheduled tasks/services that could be hijacked post-overwrite.
- Educate users on archive handling and embedded symlink risks.
CVEs
Vendors
Threats
Targets
Intelligence Source: CVE-2025-11001 and CVE-2025-11002 Vulnerabilities: Critical Flaws in 7-Zip Enable Remote Code Execution | Oct 15, 2025