—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Directory Traversal Remote Code Execution Vulnerability in 7-Zip

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: High

Software Affected

• 7-Zip versions prior to 25.00

Overview

A vulnerability has been reported in 7-Zip, which could be exploited by a remote attacker to traverse directories and execute arbitrary code on the targeted system.

Target Audience:

All end-user organizations and individuals using affected versions of 7-Zip.

Risk Assessment:

High risk of remote code execution, unauthorized directory access, and data manipulation

Impact Assessment: 

Potential for service disruption, sensitive information disclosure and full system compromise. 

Description

7-Zip is a file archiver utility used for creating, managing, and extracting compressed archives across various formats.

This vulnerability exists in the 7-Zip due to improper handling of symbolic links in ZIP files. A remote attacker could exploit this by supplying a specially crafted ZIP archive that, when opened or extracted, causes 7-Zip to follow symbolic links to unintended directories.

Successful exploitation of this vulnerability could allow a remote attacker to gain unauthorized access to files or execute arbitrary code on the targeted system.

Solution

• Update to version 25.00 or later of 7-Zip

Vendor Information 

7-Zip

https://7-zip.org/

References

https://www.zerodayinitiative.com/advisories/ZDI-25-949/

CVE Name

CVE-2025-11001

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmkgiRIACgkQ3jCgcSdc

ys8iqw/9ER9WHStb0peoBggcHYIZVOX5a6R6f7oi76+ATSRKm3LBaTkPqUiWLZEE

Ldyhi01xFLZA/T0fsJ3zykZfkRotYe3Jl09QC40bve0+e3QweVDpFGGiJUkJfZkD

SoNDGUras/htOfVzBwWfriu1d2nkwLX2mY4IGT4p0i55CHZU7NhxCK16JkY/Xano

+NbjT3hXWnRW/btl7/ygKU9seWn98D4gcw+UHWZMyL++S/uDXns4dJTz086lXyjR

qD0/Asx7xxqiPzyeQyOqccP9RjrworRXAuDPEeiLQCEUQ7tOtoSrSNMX4jaLzwD+

tnNKjm2T8PbV9E3tTiFxqSFCtQaKgCmL/rangJTQUTAvog32WxqnqQs5wm+e1r7F

fvenz+LQWlK7ZrKu2Zlw3BCv5T+yxoZyMNAntJErkGXL7EQ1XHhL89f4P3mgwENx

vXnxRfQEnkAXKmcfLgFuzMKYVmmR5qfZpcNHN/uU5xqgHMpr6dnWrhzUmu0zy5na

39ZLFYv1+u1nQiZLURHzllWNfY+vnqAU3Ob8Io1J3tGy2XMIBLtmphSy2GMRM9bG

Nszlpyt4WjyVlmxYaNCUEbyowFDI3Vz5mBVbUe82YW4z5cIIKp5te4hYgnn1KVTT

CtEjtMsKZKCbLaxSOfPKjkQYX5kldnvk+GZxERv1psKYoC4Hfrs=

=xT7n

—–END PGP SIGNATURE—–