Two 7-Zip Flaws Are Being Exploited. Both Were Patched Months Ago

Two vulnerabilities in 7-Zip are being exploited in the wild and both were fixed before the attacks started. CVE-2025-0411 was patched in November 2024. CVE-2025-11001 was patched in July 2025. The reason they are still news is that 7-Zip has no automatic update mechanism so a fix that shipped months ago only protects the machines whose owners installed it by hand.

The two flaws have little in common beyond the product name. Treating them as a single story about two 7-Zip CVEs, as several advisories have, obscures that they are different bugs found by different researchers and exploited in different ways.

The MotW Bypass That Hit Ukrainian Government Systems

CVE-2025-0411 lets an attacker strip the Mark-of-the-Web flag from files inside an archive. Windows uses that flag to mark anything downloaded from the internet as untrusted which is what triggers the SmartScreen warning before you run an unknown executable. Trend Micro’s Zero Day Initiative which found the flaw, showed that nesting one archive inside another stopped 7-Zip from passing the flag through to the inner files. Extract the archive and the payload runs without a warning.

Peter Girnus of the Zero Day Initiative attributed the campaign to Russian cybercrime groups, who used it from at least September 2024 in spear-phishing emails against Ukrainian targets. The attackers disguised executables as Word documents using homoglyphs, swapping Latin letters for visually identical Cyrillic ones, to deliver the SmokeLoader malware. Trend Micro counted at least nine affected Ukrainian organizations, including the Ministry of Justice and the Kyiv water and transport utilities.

7-Zip creator Igor Pavlov fixed it in version 24.09, released on 30 November 2024. A working proof-of-concept is now public.

The Symlink Bug That Needs a Service Account to Bite

CVE-2025-11001 is a directory traversal flaw. A crafted ZIP file with malicious symbolic links can make 7-Zip write files outside the folder you extracted to which in the right conditions becomes remote code execution. Ryota Shiga of GMO Flatt Security reported it and the fix shipped in version 25.00 in July 2025, alongside a near-identical sibling, CVE-2025-11002.

The precondition matters and most coverage skipped past it. According to the Zero Day Initiative, the exploit runs in the context of a service account which means full code execution requires 7-Zip to be running with elevated privileges or on a machine with developer mode enabled. On an ordinary desktop, double-clicking a malicious ZIP is unlikely to hand over the system. On a build server or an automated extraction pipeline running as a service, it is a different matter.

NHS England Digital confirmed active exploitation in an advisory on 18 November 2025. A researcher using the handle PacBypass had already published a proof-of-concept after diffing the code between versions 24.09 and 25.00 which is the standard way these patched-but-undisclosed bugs get weaponised.

Why Critical Overstates the Score

Both CVEs carry a CVSS score of 7.0. That is High, not Critical, in the standard rating bands and both NVD and the Zero Day Initiative score them that way. Several vendor advisories have rounded the language up to critical regardless. The justification is real but it is not the score. 7-Zip is installed on an enormous number of machines, much of it outside any central patch management and a fix nobody applies is worth nothing. The risk lives in the deployment, not the CVSS.

Update to 25.00, Because Nothing Else Will

Check the version you are running. Anything before 24.09 is exposed to the MotW bypass, anything before 25.00 is exposed to the symlink flaws. Version 25.00 closes both and 25.01 also fixes a later symbolic-link file-write bug, CVE-2025-55188 so 25.01 or later is the version to standardize on.

There is no updater to do this for you. Inventory every machine and build agent that has 7-Zip installed including the copies bundled inside other tools and replace them. Until then, treat ZIP files from untrusted sources as hostile especially on any system where 7-Zip runs with elevated rights.

References

1. CVE-2025-0411: Ukrainian Organizations Targeted in Zero-Day Campaign and Homoglyph Attacks
2. Russian Cybercrime Groups Exploiting 7-Zip Flaw to Bypass Windows MotW Protections
3. NVD – CVE-2025-0411
4. ZDI-25-949
5. Hackers Actively Exploiting 7-Zip Symbolic Link-Based RCE Vulnerability
6. Public PoC Exploit for 7-Zip Vulnerability Is Available
7. 7-Zip RCE Flaw CVE-2025-11001 Actively Exploited in Attacks in the Wild
8. Active Exploitation of 7-Zip RCE Vulnerability Shows Why Manual Patching Is No Longer an Option

This post is also available in:

Related News

Verizon DBIR: Vulnerability Exploitation Overtakes Credentials as Top Breach Vector

May 21, 2026

Critical n8n Sandbox Escape Exposes 100,000 Automation Instances to Remote Takeover

May 20, 2026

Fortinet and Ivanti Close Critical Security Holes: Two Still Await AI-Driven Discovery

May 14, 2026

Microsoft 365 Copilot Zero-Click Flaw Let Attackers Steal Data Via Email

Microsoft 365 Copilot contained a critical zero-click vulnerability that allowed attackers to exfiltrate sensitive company data simply by sending a malicious email. The flaw, discovered…

May 13, 2026

cPanel Zero-Day Exploited for Months Before Patch 44,000 Servers Hit

A critical authentication bypass vulnerability in cPanel has been under active exploitation since February, two months before the vendor issued a patch. CVE-2026-41940 carries a…

May 5, 2026