What is CVE-2025-11001?
CVE-2025-11001 is a vulnerability in 7‑Zip (and related builds such as p7zip) with a CVSS score of 7.0 (High) and exists within the handling of symbolic links in ZIP files. Symbolic links are shortcuts that point to another file or folder, and in the case of ZIP files are used to show the locations where files will be zipped from, or unzipped to. When extracted, crafted data in a ZIP file can cause the process to traverse to unintended directories, allowing it to write or extract files in unintended locations.
Why is CVE-2025-11001 dangerous?
The CVE is dangerous because extraction of a malicious ZIP file can allow an attacker to write files outside the designated directories and execute code within the context of the extraction process. This means that malicious code could be executed using a service account or privileged user, rather than just a normal restricted user, potentially leading to full system compromise, persistence, and lateral movement.
Some further factors adding to the risk of this CVE:
Proof of Concept (PoC) exploit: The UK NHS warned that a PoC of the exploit now exists, which means that attackers can use it as a blueprint or functional code to develop and launch attacks, significantly lowering the bar for successful exploitation.
Ease of exploit: The flaw is relatively easy to exploit since the only thing required is for an unsuspecting user to open or extract a malicious archive. As mentioned above, the malicious code can actually execute under much higher privileges than the actual user that opened the file.
Wide attack surface: The file-archiver tool 7-Zip is widely used on endpoints, servers, file-sharing services, and automated extraction workflows. A vulnerability in a commonly used tool like 7-Zip means many potential targets and many unpatched instances.
Which systems are affected?
CVE-2025-11001 affects all 7-Zip or p7zip versions prior to 25.00, but is only exploitable on Windows because it exploits the creation and specific handling of symbolic links that is unique to the way the Windows operating system manages file system links.
To summarize, systems that meet both criteria below are affected by this CVE:
- All 7-Zip and p7zip versions prior to 25.00
- Running on a Windows operating system
How to remediate CVE-2025-11001
The good news is that the vendor for 7-Zip already released a new version 25.00 in July 2025 which addresses this vulnerability. However, since 7-Zip doesn’t have a built-in auto-update feature, it must be updated manually or automated through third-party tools, custom scripts, or enterprise software deployment systems like Microsoft Intune. This means that it’s highly likely that many systems are still running the older version that is vulnerable to this CVE.
To remediate CVE-2025-11001 manually, you will need to:
- Find all affected 7-Zip versions prior to 25.00 running on Windows
- Update 7-Zip to the latest version, which is now 25.01.
How Mondoo can help
Mondoo is a vulnerability management platform that scans your environment for vulnerabilities and prioritizes them for remediation. A scan by Mondoo will quickly reveal any vulnerable 7-Zip installations.
To help you remediate as fast as possible, Mondoo provides guided remediation steps as well as a PowerShell script that can be copied and pasted to update the 7-Zip instance to the latest version.
To bridge the gap between security and IT Ops teams, Mondoo offers ticketing integrations with ITSM systems, so issues can quickly be forwarded to IT Ops with all the relevant asset details, remediation information, and code snippets. This enables engineers to address risks quickly. Mondoo will then verify that the issue has been resolved and automatically close the ticket if the fix is complete.
Mondoo also provides agentic vulnerability patching that uses AI agents to automatically create remediation pull requests in the Mondoo security pipeline, which platform engineers then only need to review and approve to get the fix applied.
Learn more
Mondoo eliminates - not just categorizes - vulnerabilities. Global enterprises trust Mondoo to prioritize risks by business impact and exploitability through its patented AI-native security model that collects structured, context-aware data from the entire IT infrastructure. Mondoo’s customers have reduced vulnerabilities and policy violations by 50% and significantly reduced MTTR. With seamless ITSM integrations and transparent security pipelines, Mondoo enables autonomous remediation and continuous compliance. Mondoo bridges the gap between security and engineering - delivering intelligent recommendations and actionable insights to fix vulnerabilities that matter most to the business.
Want to learn more? Schedule a demo today.
