Wiz
Base de datos de vulnerabilidadesCVE-2025-11001

CVE-2025-11001
7-Zip Análisis y mitigación de vulnerabilidades

Vista general

A critical security vulnerability (CVE-2025-11001) was discovered in 7-Zip, affecting versions from 21.02 up to version 25.00. The flaw was discovered by Ryota Shiga of GMO Flatt Security Inc., along with the company's AI-powered AppSec Auditor Takumi, and was publicly disclosed on October 7, 2025. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip through the manipulation of symbolic links in ZIP files (Zero Day Initiative, Hacker News).

Técnicas

The vulnerability has been assigned a CVSS score of 7.0 (AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H). The specific flaw exists within the handling of symbolic links in ZIP files, where crafted data can cause the process to traverse to unintended directories. The vulnerability is specifically limited to Windows systems and can only be exploited from the context of an elevated user/service account or a machine with developer mode enabled (Zero Day Initiative, Help Net Security).

Impacto

When successfully exploited, the vulnerability allows attackers to execute code in the context of a service account. The attack requires user interaction, but the vectors may vary depending on the implementation. The impact is particularly significant for systems where 7-Zip is used with elevated privileges (Zero Day Initiative, Security Affairs).

Mitigación y soluciones alternativas

The vulnerability has been fixed in 7-Zip version 25.00, released in July 2025. Users are strongly advised to upgrade to this version or later as soon as possible, especially given that 7-Zip does not have an auto-update feature. This is particularly crucial due to the availability of public proof-of-concept exploits and active exploitation in the wild (Help Net Security, Hacker News).

Reacciones de la comunidad

NHS England Digital has issued a warning about the active exploitation of the vulnerability, highlighting the serious nature of the threat. The security community has responded by urging immediate updates, particularly given the software's widespread use and the availability of proof-of-concept exploits (Security Affairs, Help Net Security).

Recursos adicionales

FuenteEste informe se generó utilizando IA

Relacionado 7-Zip Vulnerabilidades:

CVE ID

Severidad

Puntuación

Tecnologías

Nombre del componente

Exploit de CISA KEV

Tiene arreglo

Fecha de publicación

CVE-2025-11001HIGH7
  • 7-Zip7-Zip
  • 7zip
NoNov 19, 2025
CVE-2025-53817MEDIUM5.5
  • 7-Zip7-Zip
  • p7zip-doc
NoJul 17, 2025
CVE-2025-53816MEDIUM5.5
  • 7-Zip7-Zip
  • p7zip-rar
NoJul 17, 2025
CVE-2025-55188LOW3.6
  • 7-Zip7-Zip
  • 7zip
NoAug 08, 2025
CVE-2022-47112LOW3.3
  • 7-Zip7-Zip
  • 7zip
NoApr 19, 2025

Evaluación gratuita de vulnerabilidades

Compare su postura de seguridad en la nube

Evalúe sus prácticas de seguridad en la nube en 9 dominios de seguridad para comparar su nivel de riesgo e identificar brechas en sus defensas.

Solicitar evaluación

Recursos adicionales de Wiz

Obtén una demostración personalizada

¿Listo para ver a Wiz en acción?

"La mejor experiencia de usuario que he visto en mi vida, proporciona una visibilidad completa de las cargas de trabajo en la nube."
David EstlickCISO
"Wiz proporciona un panel único para ver lo que ocurre en nuestros entornos en la nube."
Adam FletcherJefe de Seguridad
"Sabemos que si Wiz identifica algo como crítico, en realidad lo es."
Greg PoniatowskiJefe de Gestión de Amenazas y Vulnerabilidades
Solicita una demo