CVE-2025-11001 and CVE-2025-11002 Vulnerabilities: Critical Flaws in 7-Zip Enable Remote Code Execution

As this fall season brings a surge of newly disclosed vulnerabilities and heightened patch activity across the cybersecurity landscape, organizations are once again facing critical risks on the horizon. Following the recent disclosure of CVE-2025-10035, which enables unauthenticated command injection and RCE, two additional security flaws have emerged. Identified as CVE-2025-11001 and CVE-2025-11002, these critical vulnerabilities in 7-Zip, the widely used open-source file archive, could allow remote attackers to execute arbitrary code, potentially resulting in complete system compromise, data theft, or ransomware deployment.

In 2025, vulnerability management will continue to grow in importance as organizations navigate an expanding cybersecurity landscape. More than 35,000 vulnerabilities have been disclosed globally, representing a 21% year-over-year increase and highlighting the ongoing challenges faced by security teams. Around one-third of these were categorized as High or Critical severity, reflecting a steady rise in potential risk and highlighting the need for more resilient protection strategies.

Sign up for the SOC Prime Platform to tap into the top cybersecurity expertise combined with AI-driven intelligence for enterprise-grade cyber defense. The Platform provides curated, context-rich detections designed to help organizations stay ahead of cyber threats of all complexity, including the growing number of vulnerabilities in widely used software. Press the Explore Detections button below to quickly access a comprehensive library of Sigma rules, filtered by the “CVE” tag, enabling proactive detection of both known and emerging exploits.

Explore Detections

All the rules are compatible with multiple SIEM, EDR, and Data Lake formats and mapped to the MITRE ATT&CK® framework. Additionally, each rule is enriched with CTI links, attack timelines, audit configurations, triage recommendations, and more relevant metadata.

Security engineers can also leverage Uncoder AI, an IDE and co-pilot for detection engineering. With Uncoder, defenders can instantly convert IOCs into custom hunting queries, craft detection code from raw threat reports, generate Attack Flow diagrams, enable ATT&CK tags prediction, leverage AI-driven query optimization, and translate detection content across multiple platforms.

CVE-2025-11001 and CVE-2025-11002 Analysis

Two critical file parsing directory traversing flaws have been recently uncovered in 7-Zip, potentially allowing remote attackers to execute arbitrary code. Vulnerabilities tracked as CVE-2025-11001 and CVE-2025-11002 impact all versions prior to the latest release and require immediate patching. 

Both vulnerabilities originate from improper handling of symbolic links within ZIP archives. According to the ZDI advisories, a maliciously crafted ZIP file can exploit this weakness to trigger directory traversal, enabling code execution under the privileges of the vulnerable application. Researchers note that attackers can craft ZIP files containing symbolic link entries that escape designated directory boundaries, leading to unauthorized file access and RCE.

When handling certain archives, 7-Zip may unintentionally follow symbolic links that lead outside the designated extraction directory. This behavior can be exploited to overwrite arbitrary files or inject malicious payloads into critical system locations, potentially enabling attackers to execute code via dependent services or scheduled processes. Exploitation requires no elevated privileges and only minimal user action—such as simply extracting or opening a crafted archive in a vulnerable environment.

7-Zip version 25.00 addresses both vulnerabilities by enforcing safe path canonicalization and blocking symbolic links that escape the intended extraction directory. Organizations relying on automated ZIP extraction should review logs for anomalous directory traversal patterns and deploy the patched version promptly as potential CVE-2025-11001 and CVE-2025-11002 mitigation steps. Security teams should audit systems that automatically process ZIP files, especially in enterprise file-sharing and automated backup solutions. Implementing strict directory sanitization or disabling automatic extraction in untrusted contexts can mitigate exploitation prior to patch deployment. By relying on SOC Prime’s complete product suite, backed by AI, automated capabilities, real-time threat intel, and built on zero-trust milestones, global organizations are fully equipped with cutting-edge technologies for proactive cyber defense at scale.