A recently disclosed vulnerability in the 7‑Zip file archiver is being actively exploited in the wild, NHS England Digital said. The advisory did not provide details on who is exploiting the flaw, how it is being weaponized or in what contexts the activity has been observed.
The flaw, tracked as CVE-2025-11001, has a CVSS score of 7.0 and can allow remote attackers to execute arbitrary code. The issue is addressed in 7‑Zip version 25.00, which was released in July 2025.
Trend Micro’s Zero Day Initiative said the specific weakness lies in the handling of symbolic links in ZIP files, where crafted data can cause processes to traverse to unintended directories and enable execution in the context of a service account. The 25.00 update also resolves a related flaw, CVE-2025-11002, which similarly stems from improper handling of symbolic links and directory traversal; both shortcomings were introduced in version 21.02.
Credit for the discovery is given to Ryota Shiga of GMO Flatt Security Inc. and the company’s AI‑powered AppSec Auditor Takumi. Proof‑of‑concept exploit code is publicly available on GitHub at PoC, and researcher Dominik (aka pacbypass) published technical analysis on his blog.
According to the researcher, the vulnerability can only be exploited from the context of an elevated user or service account, or on a machine with developer mode enabled, and it affects Windows systems. Given that proof‑of‑concept code exists, users and administrators are urged to apply the 7‑Zip 25.00 update promptly to reduce exposure.