November 19, 2025 By Zeljka Zorz
NHS England Digital, the technology arm of the publicly-funded health service for England, has issued a warning about a 7-Zip vulnerability (CVE-2025-11001) being exploited by attackers.
“Active exploitation of CVE-2025-11001 has been observed in the wild,” the alert says, though it does not say who detected the attacks or whether they might be targeted or widespread.
CVE-2025-11001 and CVE-2025-11002
Introduced in 7-Zip v21.02, CVE-2025-11001 and CVE-2025-11002 are two path/directory traversal flaws that have been fixed in 7-Zip v25.00, released in July 2025.
The vulnerabilities were publicly revealed via Zero Day Initiative advisories on October 7, 2025, and credited to Ryota Shiga of GMO Flatt Security, who discovered them by using the company’s AI-powered application security auditor (Takumi).
“The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of a service account,” both advisories note.
Another security researcher who goes by “PacBypass” analyzed the code differences between 7-Zip v24.09 and v25.00 and, ten days later, published a technical write-up about CVE-2025-11001 and a proof-of-concept exploit for it.
