Do you use 7-Zip to extract RAR files? To the ZIP archive download? Then it may not have affected you for months. Or maybe it is. And you didn't notice.
In October 2025, it became public: 7-Zip had two high-level vulnerabilities (CVE-2025-11001 and CVE-2025-11002) that attackers exploited to execute arbitrary code on your machine.
The problem: Symlink traversal and code execution
Sounds impressive? It is, too. Here's how it works:
An attacker creates a malicious ZIP file with specially manipulated data. If you unpack the archive with an older 7-zip version, the incorrect processing of symlinks (symbolic links) exploits a directory traversal error. This allows the attacker to write files outside the target folder – possibly with malicious code at sensitive system locations.
A classic Symlink traversal attack. This is not new to security, but if it hits 7-Zip – a tool that millions use every day – then it gets serious.
How long has the problem been there?
That's the scary question. The gaps were reported to the developer on May 2, 2025. The public announcement was made only on 7 October 2025.
That's over five months, during which security researchers gave Igor Pavlov time to develop a patch. This is called responsible disclosure. The good side: The patch was ready before the world learned there was a problem.
The bad side? They were all vulnerable all the time.
The 25th version was the fix.
Igor Pavlov, the 7-Zip developer, acted quickly. Version 25.00 was released on July 5, 2025 and fixed the vulnerabilities alongside several minor issues with RAR and COM archive handling. The current stable version is 25.01 (August 2025).
The problem: No one knew why the update was important. Because the security details were not published.
Why this is so dangerous: The 7-zip update problem
Here is the key weakness: 7-Zip does not update automatically. Many people use older portable copies that are never updated.
This is not just a design weakness. This is a security architecture disaster.
Compares this to Chrome, Firefox or Windows: These tools automatically update in the background. You get the security fixes without thinking about it.
7-zip? You have to go to the website manually, download and update the new version. How many of you do this regularly?
Exactly.
And then there are the Enterprise environments: 7-Zip is often not captured by patch management systems because it is not installed via the Windows Installer or a central repository. It lives as a foreign body in the IT infrastructure.
The Escalation of 7-Zip Problems
This isn't the first time 7-Zip has hit the headlines. In early 2025, CVE-2025-0411 was discovered, a vulnerability that allowed attackers to bypass the Windows Mark-of-the-Web (MoTW) safeguards by hiding files in nested archives and removing the "downloaded from the Internet" warning. This had been fixed in version 24.09 (November 2024).
But how many had actually installed 24.09?
Now version 25.01. How many will actually update it?
This is the pattern that is emerging: 7-Zip is like a car with weekly new safety flaws – and the mechanic can only hope that you would come by yourself to fix it.
CVSS 7.0: What does that mean?
Both vulnerabilities have a CVSS base score of 7.0. Exploitation requires user interaction, but the hurdle is low: Simply opening or extracting a malicious archive is enough.
This is not ‘critical’ but ‘high’. The rating is because you still have to click on a file. But with ZIP files from emails? Downloads from the Internet? This is exactly the interaction that happens millions of times every day.
What is recommended?
The answer is clear: If you use 7-Zip, you should immediately update to version 25.01 or later, directly from the official website downloadable. The installer replaces the old copy and keeps your settings.
And until then? Be extremely careful with ZIP files from unknown sources. Avoid opening archives that look suspicious or come from unverified emails.
The larger pattern
This is what is fascinating and at the same time frightening: Compression tools are everywhere. ZIP, RAR, 7Z, all widely used, all often underestimated in security.
And while 7-Zip is a legitimate open source project by Igor Pavlov, which he obviously manages on his own, here is a fundamental problem: Critical infrastructure with a single maintainer and no auto-update mechanism is a security risk, not a solution.
What's left?
The good news: The patch is here and it works.
The bad news: Millions will never know. Millions will never update. Attackers know this. ⁇
Conclusion: 7-Zip is a great tool, but it's also a reminder that not every software project has modern security practices. Auto-Updates, Responsible Disclosure, prompt patching, all good and nice. But if your tool doesn't catch up with time, you become a security risk.
Updated to 25.01. Now! Not tomorrow.
EN 
DE 
ES 
FR 
IT