NHS England has confirmed that the critical CVE-2025-11001 vulnerability in 7-Zip is now under active exploitation, allowing attackers to achieve remote code execution (RCE) through manipulated symbolic links inside ZIP archives.
CVE-2025-11001 (CVSS 7.0) is being actively exploited following disclosures from Trend Micro’s ZDI, which explained how crafted ZIP files with symbolic links can force 7-Zip to traverse unintended directories, enabling arbitrary code execution.
The issue was patched in 7-Zip version 25.00 released in July 2025, but NHS England warns that many users still rely on outdated versions.
The vulnerability was discovered and reported by Ryota Shiga (GMO Flatt Security Inc.) together with the AI-based AppSec Auditor Takumi. Public proof-of-concept exploit code has accelerated its weaponization.
Version 25.00 also fixes another related issue — CVE-2025-11002, which similarly allows RCE due to improper symbolic link handling.
While NHS England reports active exploitation, details regarding who is attacking, how, and in what context remain undisclosed. Both vulnerabilities were introduced in 7-Zip 21.02, where changes in symbolic link processing accidentally exposed the software to directory traversal and RCE. Researcher Dominik (pacbypass), who released the PoC, noted that CVE-2025-11001 can only be exploited on Windows, and typically requires elevated privileges or Developer Mode, making it particularly dangerous in corporate environments.
Given confirmed active exploitation, all users and organizations should immediately update 7-Zip to version 25.00 or newer. With public PoC code, real-world attacks and a high-impact RCE vector, CVE-2025-11001 represents a genuine threat to Windows-based enterprise systems.
