In a nutshell: The 7-Zip file archiver is a popular open-source alternative to paid programs like WinZip and WinRAR. Widely used by both organizations and individuals, it has also become a frequent target for hackers and cybercriminals.
Two recently discovered security flaws could make 7-Zip a serious risk to data and system security. These bugs had been known internally for months, and 7-Zip developer Igor Pavlov released a patch this summer. However, users relying on older versions are strongly advised to update ASAP. Because 7-Zip does not have an automatic update mechanism, this becomes a larger security risk.
According to Trend Micro's Zero Day Initiative, the two flaws are tracked as CVE-2025-11001 and CVE-2025-11002. Both describe the same type of vulnerability: a file-parsing directory traversal remote code execution flaw. The vulnerabilities could allow attackers to execute malicious code on a local system, the firm warns.
Exploitation requires user interaction, but the risk can vary depending on how the exploit is implemented. Essentially, the issue stems from 7-Zip incorrectly handling symbolic links in ZIP archives. A specially crafted ZIP file could cause the archiver to write files outside the intended extraction folder, potentially compromising the system.
An attacker could exploit these flaws by tricking users into downloading a malicious ZIP file, embedding malware in the archive, and executing the payload when the archive is opened or extracted. The malicious code would run with the same privileges as the user's account, posing a significant threat on Windows systems.
Trend Micro only recently disclosed the flaws publicly, but reported them to 7-Zip's team back in May. Pavlov addressed the issues in 7-Zip 25.00, released on July 5. The current stable build, 25.01, also includes these fixes.
Despite being known for months, CVE-2025-11001 and CVE-2025-11002 may still affect a significant portion of the 7-Zip user base. Critically, the program lacks an automatic update feature and remains popular among users with older systems, given its compatibility with Windows XP and even Windows 2000.
For security-conscious users and organizations, installing the latest version of 7-Zip is now essential. Additionally, avoiding ZIP archives from unknown or untrusted sources is highly recommended.
Two critical flaws put 7-Zip users at risk of remote code execution
