Overview
- An NHS England Digital advisory says CVE‑2025‑11001 is being used in real‑world attacks, without disclosing attribution, methods, or scope.
- The flaw stems from unsafe handling of symbolic links in ZIP archives that can traverse directories and execute code in a service account’s context, according to ZDI.
- Exploitation is feasible only on Windows and requires an elevated user or service account or a system with Developer Mode enabled, the PoC author notes.
- A public proof‑of‑concept is available, and security outlets urge immediate updates because 7‑Zip does not auto‑update.
- The issue was introduced in 7‑Zip 21.02 and fixed in 25.00 alongside CVE‑2025‑11002, with a related symlink bug (CVE‑2025‑55188) addressed in 25.01; discovery is credited to Ryota Shiga via ZDI.