Published on November 19, 2025
7-Zip vulnerability is being actively exploited, NHS England warns (CVE-2025-11001)
Severity
High
NHS England Digital has issued a security alert regarding a 7-Zip vulnerability, CVE-2025-11001, that is currently being actively exploited in the wild. The advisory does not specify who detected the attacks or whether they are targeted or widespread.
This vulnerability, along with CVE-2025-11002, was introduced in 7-Zip v21.02 and later fixed in 7-Zip v25.00, released in July 2025. Both flaws were publicly disclosed on October 7, 2025, through Zero Day Initiative advisories, credited to Ryota Shiga of GMO Flatt Security. Shiga identified the issues using the company’s AI-driven application security auditor (Takumi). The flaws involve improper handling of symbolic links within ZIP archives. A malicious ZIP file can manipulate directory traversal paths, enabling potential execution of code under the privileges of a service account.
A separate security researcher known as PacBypass later analyzed code differences between 7-Zip v24.09 and v25.00, publishing a technical report and a proof-of-concept exploit for CVE-2025-11001. They noted that the vulnerability is only exploitable on Windows, and primarily when executed by elevated accounts or on systems where Developer Mode is enabled, due to Windows’ symlink creation restrictions.
Additional related vulnerability CVE-2025-55188, an arbitrary file write issue tied to symbolic link handling was disclosed in August 2025 and fixed in 7-Zip v25.01. The 7-Zip maintainer, Igor Pavlov, confirmed that symlink handling was revised for greater security.
| CVE Number | Description | CVSS Score (Severity) |
| CVE-2025-11001 | Path/directory traversal via improper symlink handling in ZIP archives. Can lead to code execution under service account context. | 7.0 (High) |
| CVE-2025-11002 | Additional directory traversal flaw introduced in the same version, also tied to symlink processing issues. | Not published |
| CVE-2025-55188 | Arbitrary file write vulnerability due to unsafe symlink handling during file extraction, potentially enabling code execution. | Not published |
Affected Version
Vulnerable versions include all releases prior to:
- 7-Zip v25.00 — patches CVE-2025-11001 and CVE-2025-11002
- 7-Zip v25.01 — patches CVE-2025-55188
Recommendation
Because 7-Zip does not have an automatic update feature, users and organizations should:
- Update immediately to the latest version of 7-Zip.
- Remove outdated or vulnerable versions from systems.
- Avoid extracting untrusted archives using privileged accounts.
- Monitor for signs of exploitation, such as unexpected service account activity.
- Integrate vendor advisories into vulnerability management workflows.
NHS England Digital will provide additional information once further investigation details are available.
Source