7-Zip's Critical Flaws: A Wake-Up Call for Security
In a recent development, two critical vulnerabilities have been uncovered in the popular 7-Zip software, specifically related to its handling of ZIP archives. These flaws open the door for remote attackers to execute arbitrary code, a scenario that should set alarm bells ringing for security professionals.
The Directory Traversal Dilemma
The vulnerabilities, tracked as CVE-2025-11002 and CVE-2025-11001, stem from 7-Zip's improper processing of symbolic links within ZIP files. This allows attackers to craft malicious archives that force directory traversal, ultimately leading to code execution under the context of vulnerable services.
But here's where it gets controversial...
An attacker can supply a malicious ZIP file with symbolic link entries that bypass the installer's intended directory boundaries. When 7-Zip processes these archives, it inadvertently follows links to directories outside the extraction path, potentially overwriting arbitrary files or placing malicious payloads in sensitive locations.
And this is the part most people miss...
Exploitation of these vulnerabilities requires minimal user interaction, such as opening or extracting the archive in a compromised environment. This means that even users with limited technical knowledge can inadvertently trigger the attack.
Proof-of-Concept and Real-World Scenarios
A proof-of-concept demonstrates the creation of a ZIP archive with a symbolic link entry, for example, ../../../../windows/system32/malicious.dll, pointing to an attacker-controlled file. When extracted by a service running under the SYSTEM account, the DLL is placed in the System32 directory, and subsequent requests to load the library result in arbitrary code execution with elevated privileges.
Security Recommendations
Security teams are advised to audit systems that automatically process ZIP files, especially in enterprise file-sharing and automated backup solutions. Implementing strict directory sanitization or disabling automatic extraction in untrusted contexts can help mitigate exploitation risks.
The Solution: 7-Zip 25.00
The good news is that 7-Zip version 25.00 addresses both vulnerabilities by enforcing safe path canonicalization and blocking symbolic links that escape the intended extraction directory. Administrators are strongly urged to upgrade immediately.
Indicators of Compromise (IoCs)
Security professionals should look out for unexpected DLLs or executables in protected directories following archive extraction, as well as suspicious ZIP entries containing excessive path traversal sequences. These could be indicators of a potential compromise.
Continuous Vigilance
Organizations relying on automated ZIP extraction should review their logs for anomalous directory traversal patterns and deploy the patched 7-Zip 25.00 promptly. Continuous monitoring of file-handling services and enforcing strict input validation remain crucial defenses against similar ZIP-based attacks.
Stay tuned for more updates and insights on cyber threats and vulnerabilities. Follow us on Google News, LinkedIn, and X to stay informed and set GBH as your preferred source for the latest in cyber security news.
- Divya, Senior Journalist at GBhackers
