CVE-2025-11002: Malicious ZIP Files Turn 7-Zip Extraction Into Code Execution Risk

Aegiron 8 mins0

CVE-2025-11002 – 7-Zip Directory Traversal Leading to Remote Code Execution

CVE ID: CVE-2025-11002
Affected Product: 7-Zip
Vulnerability Class: Directory Traversal → Local / Remote Code Execution
CVSS v3.x Score: 7.0
Severity: High
Attack Vector: Local
Privileges Required: None
User Interaction: Required
Exploit Maturity: Proof-of-concepts available
Exploitability: Moderate to High (environment-dependent)

Official Patch / Upgrade Link: Provided below

Vulnerability Overview

CVE-2025-11002 describes a flaw in how 7-Zip processes certain ZIP archive entries during extraction. Improper validation of file paths and symbolic link metadata allows a crafted archive to write files outside the intended extraction directory.

When exploited successfully, this behavior may be chained into arbitrary code execution by placing malicious files into locations that are later executed automatically by the operating system or user environment.

The vulnerability does not self-trigger. Exploitation requires user interaction, typically involving opening or extracting a malicious archive.

Root Cause Analysis

During archive extraction, 7-Zip fails to sufficiently restrict file paths when handling:

  • ZIP entries containing symbolic link metadata
  • Entries using directory traversal sequences
  • Entries resolving to absolute or system-level paths

Instead of enforcing extraction boundaries, certain archive entries are resolved as-is, allowing files to be written to unintended locations on disk.

This behavior breaks the security assumption that extracted files remain confined to the chosen destination folder.

Exploitation Flow

The vulnerability may be exploited through the following sequence:

  1. A malicious ZIP archive is crafted with manipulated file metadata or symbolic link entries.
  2. The archive is delivered to a target via email, download, shared storage, or removable media.
  3. The user opens or extracts the archive using a vulnerable version of 7-Zip.
  4. During extraction, files are written outside the expected directory structure.
  5. A malicious payload is placed in a location that allows later execution (startup folder, application directory, scheduled task location, etc.).
  6. When the affected file is executed by the system or user, attacker-controlled code runs.

Execution occurs with the same privileges as the extracting user or service.

Impact

If successfully exploited, this vulnerability may allow:

  • Execution of arbitrary code
  • Persistence through startup or scheduled execution
  • Overwriting of trusted files
  • Tampering with application or user environment
  • Data compromise depending on execution context

The impact is higher in environments where archive extraction occurs automatically or under elevated privileges.

Exploit Availability

Public proof-of-concept material exists demonstrating the broader exploitation technique involving crafted ZIP archives and symlink or traversal abuse. These materials are intended for security research, testing, and defensive validation only.

The existence of PoC material significantly increases real-world risk, as exploitation does not require advanced tooling once archive construction techniques are understood.

MITRE ATT&CK Mapping

The behavior associated with this vulnerability aligns with the following techniques:

  • T1204 – User Execution
    Exploitation relies on the user opening or extracting a malicious archive.
  • T1203 – Exploitation for Client Execution
    A client-side application is abused to achieve code execution.
  • T1547 – Boot or Logon Autostart Execution
    Persistence may be achieved by writing payloads to startup locations.
  • T1036 – Masquerading
    Malicious files may be named to resemble legitimate components.

Detection Strategy

Relevant Log Sources

Detection is best achieved using a combination of:

  • Endpoint Detection & Response (EDR) telemetry
  • Windows process creation logs
  • File creation and modification logs
  • Application execution logs
  • SIEM correlation rules

Behavioral Indicators

The following patterns should be treated as suspicious:

  • Archive extraction processes writing files to:
    • System directories
    • Startup folders
    • ProgramData locations
    • Application execution paths
  • Executable or script files created immediately after archive extraction
  • Unexpected child processes spawned shortly after 7-Zip execution
  • Newly written files executed within minutes of extraction

Detection Logic

Behavioral Rule Concept:

  • Detect execution of archive extraction tools
  • Monitor file write activity during extraction window
  • Alert when executable files are written outside the extraction directory
  • Correlate with subsequent execution events

This approach is resilient against filename obfuscation and payload variation.

Threat Hunting Guidance

When investigating potential exploitation:

  1. Identify recent archive extraction activity.
  2. Review file creation events following extraction.
  3. Focus on executable or script file types.
  4. Inspect unusual write locations.
  5. Check for persistence mechanisms.
  6. Validate file signatures and origins.
  7. Contain affected hosts if malicious behavior is confirmed.

Mitigation and Prevention

Immediate Actions

  • Upgrade 7-Zip to the latest fixed release from the official website.
  • Remove outdated portable or embedded copies of 7-Zip.
  • Restrict archive extraction in privileged contexts.
  • Educate users about opening untrusted archives.

Hardening Recommendations

  • Prevent archive tools from running with administrative privileges.
  • Block or inspect archives containing symbolic links.
  • Enforce application allow-listing.
  • Use sandboxing for file extraction workflows.

Official Fix

The vulnerability has been addressed in updated versions of 7-Zip.

Official Upgrade Location:
https://www.7-zip.org/

All affected systems should be upgraded using the official installer. Third-party repackaged or bundled versions should also be reviewed and updated.

Final Takeaway

CVE-2025-11002 demonstrates how seemingly low-risk file handling issues can escalate into full code execution when combined with user behavior and operating system features. While exploitation requires interaction, the widespread use of archive files makes this vulnerability operationally relevant.

Timely patching, behavioral detection, and user awareness remain the most effective defenses.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.