CVE-2025-11001: 
7-Zip Análise e mitigação de vulnerabilidades

A critical security vulnerability (CVE-2025-11001) was discovered in 7-Zip, affecting versions from 21.02 up to version 25.00. The flaw was discovered by Ryota Shiga of GMO Flatt Security Inc., along with the company's AI-powered AppSec Auditor Takumi, and was publicly disclosed on October 7, 2025. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip through the manipulation of symbolic links in ZIP files (Zero Day Initiative, Hacker News).

The vulnerability has been assigned a CVSS score of 7.0 (AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H). The specific flaw exists within the handling of symbolic links in ZIP files, where crafted data can cause the process to traverse to unintended directories. The vulnerability is specifically limited to Windows systems and can only be exploited from the context of an elevated user/service account or a machine with developer mode enabled (Zero Day Initiative, Help Net Security).

When successfully exploited, the vulnerability allows attackers to execute code in the context of a service account. The attack requires user interaction, but the vectors may vary depending on the implementation. The impact is particularly significant for systems where 7-Zip is used with elevated privileges (Zero Day Initiative, Security Affairs).

The vulnerability has been fixed in 7-Zip version 25.00, released in July 2025. Users are strongly advised to upgrade to this version or later as soon as possible, especially given that 7-Zip does not have an auto-update feature. This is particularly crucial due to the availability of public proof-of-concept exploits and active exploitation in the wild (Help Net Security, Hacker News).

NHS England Digital has issued a warning about the active exploitation of the vulnerability, highlighting the serious nature of the threat. The security community has responded by urging immediate updates, particularly given the software's widespread use and the availability of proof-of-concept exploits (Security Affairs, Help Net Security).