- Cyber Syrup
- Posts
- 7-Zip Vulnerability Under Active Exploitation, NHS England Warns
7-Zip Vulnerability Under Active Exploitation, NHS England Warns
Threat actors are actively exploiting a recently patched 7-Zip vulnerability that can enable remote code execution
In partnership with
CYBER SYRUP
Delivering the sweetest insights on cybersecurity.
Stop Drowning In AI Information Overload
Your inbox is flooded with newsletters. Your feed is chaos. Somewhere in that noise are the insights that could transform your work—but who has time to find them?
The Deep View solves this. We read everything, analyze what matters, and deliver only the intelligence you need. No duplicate stories, no filler content, no wasted time. Just the essential AI developments that impact your industry, explained clearly and concisely.
Replace hours of scattered reading with five focused minutes. While others scramble to keep up, you'll stay ahead of developments that matter. 600,000+ professionals at top companies have already made this switch.
7-Zip Vulnerability Under Active Exploitation, NHS England Warns
Threat actors are actively exploiting a recently patched 7-Zip vulnerability that can enable remote code execution (RCE), according to a new advisory from NHS England.
The flaw, tracked as CVE-2025-11001 (CVSS 7.0), is a file-parsing directory traversal vulnerability affecting how 7-Zip handles symbolic links inside ZIP archives. Successful exploitation requires user interaction, but can ultimately allow attackers to execute code under a privileged service account.
Understanding the Vulnerability
The issue stems from improper handling of symbolic links during ZIP extraction. A crafted archive can trick 7-Zip into traversing outside the intended extraction directory.
According to Trend Micro’s Zero Day Initiative (ZDI), attackers can leverage this flaw to execute arbitrary code, though attack vectors vary depending on how 7-Zip is deployed within a system.
Security researcher Ryota Shiga of GMO Flatt Security identified the defect along with a similar issue (CVE-2025-11002). Both vulnerabilities were disclosed to 7-Zip developers in May and patched in 7-Zip version 25.00, released in July 2025.
Active Exploitation Confirmed
Despite the fix, many systems remain unpatched — and threat actors have begun targeting them.
NHS England issued a warning stating:
“Active exploitation of CVE-2025-11001 has been observed in the wild.”
A publicly available proof-of-concept (PoC) exploit further lowers the barrier to abuse. The PoC demonstrates how attackers can manipulate symbolic links to write files outside the extraction folder. In some environments, this can escalate to full arbitrary code execution.
Technical Details of the Exploit
Security engineer Dominik C. provided additional insight into how the flaw manifests on Windows systems:
The vulnerability affects 7-Zip versions 21.02 through 24.09.
It occurs when converting Linux-style symbolic links into Windows paths.
7-Zip incorrectly treats certain absolute Windows paths (e.g.,
C:\…) as relative, enabling directory traversal.Attackers can craft malicious symbolic links that cause 7-Zip to write files to arbitrary directories on the system.
Critically, exploitation is only viable when 7-Zip runs with administrative or service-level privileges, because creating symlinks on Windows requires elevated permissions.
This means environments where automated services or privileged accounts use 7-Zip—such as backup systems, deployment tools, or automated file ingestion services—are at highest risk.
Mitigation and Recommendations
Organizations should:
Update 7-Zip to version 25.00 or later immediately.
Audit systems to ensure no legacy or embedded applications are using vulnerable versions.
Restrict the use of 7-Zip in automated or privileged service contexts.
Monitor for suspicious ZIP archives or unexpected symbolic link behavior.
NHS England’s advisory highlights the ongoing risk posed by overlooked file-handling tools within enterprise workflows and reinforces the need for timely patch management.