NHS Alerts to Active Exploitation of 7-Zip Symbolic Link RCE (CVE-2025-11001)

NHS Warns of PoC Exploit for 7-Zip Symbolic Link–Based RCE Vulnerability

The UK’s NHS England Digital issued an advisory on November 19, 2025, regarding active exploitation of CVE-2025-11001, a remote code execution (RCE) vulnerability in 7-Zip, later retracting the claim. This vulnerability, addressed in 7-Zip version 25.00, impacts how the software handles symbolic links within ZIP files.

Why This Matters

Ideal models assume secure archive handling, but flawed implementations can allow attackers to traverse directory structures and execute code. The potential impact of this vulnerability is significant, as successful exploitation could lead to system compromise within healthcare environments and beyond, with potential costs reaching millions in remediation and data breach fines.

Key Insights

• CVE-2025-11001 & CVE-2025-11002: Both vulnerabilities were introduced in 7-Zip version 21.02 and fixed in version 25.00.
• AI-assisted discovery: The vulnerability was discovered by Ryota Shiga with assistance from GMO Flatt Security’s AI-powered AppSec Auditor, Takumi.
• Windows-specific: Exploitation is currently limited to Windows operating systems.

Practical Applications

• Healthcare Systems: Immediate patching of 7-Zip is critical for healthcare organizations to prevent potential disruption of services and data breaches.
• Pitfall: Relying on outdated software versions, even for seemingly benign tools like file archivers, creates significant attack surfaces for adversaries.

References:

• https://thehackernews.com/2025/11/hackers-actively-exploiting-7-zip.html