NHS England Warns of Active 7-Zip Exploit (CVE-2025-11001)
▼ Summary
– NHS England Digital has warned that attackers are actively exploiting a 7-Zip vulnerability (CVE-2025-11001).
– The vulnerability is a path traversal flaw in 7-Zip versions from v21.02 to v24.09, fixed in v25.00 released in July 2025.
– It allows attackers to execute code in the context of a service account by exploiting symbolic link handling in malicious ZIP files.
– Exploitation is limited to Windows systems with elevated user/service accounts or Developer Mode enabled due to symlink creation requirements.
– Users are urged to manually update 7-Zip to the latest version immediately since the software lacks an auto-update feature.
NHS England Digital has issued a critical security alert concerning an actively exploited vulnerability within the 7-Zip file archiving utility, identified as CVE-2025-11001. This warning highlights a significant cybersecurity risk for organizations and individuals relying on the popular compression tool, urging immediate action to prevent potential system compromise.
The alert confirms that malicious actors are currently leveraging this flaw in real-world attacks, though specific details regarding the scope or origin of these incidents remain undisclosed. This vulnerability, along with a related issue cataloged as CVE-2025-11002, represents a path traversal weakness initially introduced in 7-Zip version 21.02. Both security gaps were subsequently resolved with the release of version 25.00 in July 2025.
Public disclosure of these vulnerabilities occurred on October 7, 2025, through advisories published by the Zero Day Initiative. The discovery is credited to researcher Ryota Shiga of GMO Flatt Security, who identified the issues using an AI-driven application security tool named Takumi. The core of the problem lies in how the software processes symbolic links contained within ZIP archives. By manipulating this data, an attacker can force the application to access unintended directories on the file system. This manipulation could ultimately allow the execution of malicious code under the privileges of the service account running 7-Zip.
Further analysis was conducted by an independent security researcher known as “PacBypass,” who examined the code changes between versions 24.09 and 25.00. This investigation led to a detailed technical analysis and the publication of a proof-of-concept exploit for CVE-2025-11001 approximately ten days after the initial advisories. PacBypass clarified that exploitation is confined to the Windows operating system and requires specific conditions: the 7-Zip process must be running with elevated user or service account privileges, or the Windows machine must have Developer Mode activated. This restriction exists because creating a symbolic link is a privileged operation in Windows, making the attack primarily relevant when the software is operated by a service account.
This incident is not an isolated case. In August 2025, a separate arbitrary file write vulnerability, tracked as CVE-2025-55188, was also publicly disclosed. This flaw similarly stemmed from 7-Zip’s improper management of symbolic links and could lead to code execution if a user extracted a maliciously crafted archive. The maintainer of 7-Zip, Igor Pavlov, addressed this in version 25.01, noting that the code for handling symbolic links was modified to enhance security during file extraction processes.
The absence of an automatic update mechanism in 7-Zip makes user intervention essential. All users are strongly advised to manually upgrade to the most recent version of the software immediately to protect their systems from these confirmed threats. Staying on outdated versions leaves systems exposed to attackers who are actively weaponizing these vulnerabilities.
(Source: HelpNet Security)