Fast Facts

• Two critical vulnerabilities in 7-Zip (CVE-2025-11001 and CVE-2025-11002) allowed attackers to inject malicious code via ZIP files.
• The flaw exploited symbolic links, letting files escape their intended folder and overwrite system files.
• Attackers did not need high-level permissions; just opening a malicious archive was enough if the user had admin access.
• Automated systems, like backup servers and file-sharing platforms, were at special risk.
• 7-Zip version 25.00 fixes the issue by blocking unsafe symbolic links during extraction.

The Trojan ZIP: Unpacking Danger

Imagine opening a seemingly harmless package, only to find it packed with hidden tunnels leading straight into your home’s foundations. That’s exactly what happened to millions of computers using the popular 7-Zip archiver - one of the world’s favorite tools for compressing and extracting files. In 2025, researchers uncovered a pair of dangerous vulnerabilities that let hackers smuggle in malware by abusing the arcane world of symbolic links inside ZIP files.

How Did the Hack Work?

At the heart of this flaw are “symbolic links” - shortcuts in the file system that point from one place to another, a bit like secret doors in a building. Attackers crafted ZIP archives containing these links, which, when extracted with a vulnerable version of 7-Zip, could break out of the intended folder and plant files anywhere on the computer - even deep inside protected system directories. If a user (especially one with administrator privileges) opened such a ZIP, malicious files could quietly replace or add themselves to critical areas, primed to run at the next opportunity.

This trick, often called a “ZIP Slip,” isn’t entirely new. In 2018, similar issues rocked the software world, affecting dozens of tools and libraries. But 7-Zip’s popularity and widespread use in business environments - where automated systems routinely unpack ZIPs - put a fresh, dangerous spin on the threat. A single poisoned ZIP could worm its way into backup servers, file-sharing hubs, or software update systems, potentially compromising entire networks without anyone noticing.

The Race to Patch

The vulnerabilities, tracked as CVE-2025-11001 and CVE-2025-11002, were responsibly disclosed to 7-Zip’s developers in May 2025. By July, version 25.00 was released, adding strict new checks to stop symbolic links from escaping their “sandbox.” Security experts warn that the window between discovery and patching was a tense one, especially for large organizations with automated ZIP handling. Signs of compromise can include unknown files appearing in protected directories, or ZIP archives with suspiciously long file paths.

Similar attacks have been spotted in the wild before, such as the notorious “ZIP Slip” wave that hit enterprise software supply chains. According to a 2023 report by the cybersecurity firm Snyk, over 60% of major software projects lacked proper path validation, leaving them vulnerable to archive-based attacks. The latest 7-Zip incident underscores how even trusted, open-source tools can become unwitting accomplices in cybercrime if not kept up to date.

Lessons from the Archive

The 7-Zip vulnerability is a stark reminder that the simplest tools - used by millions every day - can become powerful weapons in the wrong hands. As the digital world grows more interconnected, attackers will keep probing for overlooked cracks in the software supply chain. The best defense? Keep software updated, scrutinize automated systems that unpack files, and stay alert for the subtle footprints hackers leave behind. In the world of cybersecurity, even a ZIP file can be Pandora’s box.

WIKICROOK

• Symbolic Link: A symbolic link is a file system shortcut that points to another file or folder, enabling easy access from different locations without duplication.
• ZIP Archive: A ZIP archive is a compressed file format that bundles multiple files together, making storage and sharing easier, but can sometimes hide malware.
• Directory Traversal: Directory Traversal is a security flaw that lets attackers access or save files outside the intended folder, risking exposure of sensitive system data.
• Privilege Escalation: Privilege escalation occurs when an attacker gains higher-level access, moving from a regular user account to administrator privileges on a system or network.
• Patch: A patch is a software update released to fix security vulnerabilities or bugs in programs, helping protect devices from cyber threats and improve stability.