Table of contents
Overview
A recently disclosed 7-Zip vulnerability allows malicious actors to execute code remotely through specially crafted ZIP files. If a victim executes 7-Zip within a privileged context and extracts a crafted malicious ZIP file which utilizes symbolic links, the extracting process is able traverse outside the destination directory, and write files, including potentially malicious executables, to undesired locations. Both vulnerabilities, CVE-2025-11001 and CVE-2025-11002, have been assigned a CVSS score of 7.0 and have been resolved in 7-Zip version 25.00 and above.
CVE-2025-11001 & CVE-2025-11002
The first flaw that enables the exploitation of CVE-2025-11001 and CVE-2025-11002 is due to how 7-Zip handles Linux symbolic links within Windows environments. Before a patch for this vulnerability was released, 7-Zip's decompression method would take an absolute Windows path beginning with “C:\” and incorrectl y label it as relative.
The second flaw exists in the safety check for this decompression link. Since the link is recognized as relative, a new absolute path is checked and created instead. This is where an arbitrary path can be specified by an attacker as the true target destination. In crafting the malicious ZIP file, the specified decompression link can be pointed to directories such as the Windows Startup folder or other sensitive locations for arbitrary execution.
In short, CVE-2025-11001 and CVE-2025-11002 are enabled by two key logic flaws:
- Flaw 1: When “C:\” is added to a Linux symbolic link, it will incorrectly treat the path as a relative path.
- Flaw 2: Due to the path being treated as a relative path, it will bypass the validation performed by the “IsSafePath” function.
Under certain conditions when successfully exploited, an attacker could execute malicious code as a service account.
Recommendations for ThreatLocker customers
Elevation Control
ThreatLocker Elevation Control allows for granular control over the user accounts that have access to execute software in an elevated context and can prevent the misuse of deprecated or legacy privileged accounts.
Application Control
ThreatLocker Application Control can block applications that are not explicitly permitted by ThreatLocker or learned during Learning Mode, such as unauthorized Remote Monitoring and Management applications. Additional explicit deny policies can be created to prevent the usage of high-risk applications, such as 7-Zip, MSBuild, or PSExec. For applications that are high-risk, but are required by business processes, permit policies with Ringfencing™ can be utilized to restrict what resources applications can interact with, such as certain files & directories, internet access, the registry, or executing other applications.
ThreatLocker Detect and Cyber Hero MDR
ThreatLocker Detect can detect and alert your organization to possible ransomware operators' tactics and procedures, including installing ransomware tools, attempting to disable security services, deleting shadow copies, and performing data exfiltration. If you have Cyber Hero MDR, you'll hear from Cyber Hero team members quickly.
Recommendations for everyone
Consider deploying defense in depth strategies in conjunction with least privilege principles, which would mitigate the primary vulnerabilities related to 7-Zip. Ensure users accounts operate under standard level permissions, limit the use of administrator accounts, and be aware of applications/files that look unfamiliar or irregularly placed. CVE-2025-11001 and CVE-2025-11002 represent a realistic and credible threat that can be defended against by industry standard best practices and ThreatLocker services.
