Two new vulnerabilities identified in the famous open source program 7-Zip can put the integrity of Windows at risk. According to what is reported in the ZDI program (Zero Day Initiative) by Trend Micro, the flaws – cataloged with the codes CVE-2025-11001 and CVE-2025-11002 – allow, under certain conditions, the execution of arbitrary code, i.e. the launching of unauthorized commands on the system simply by opening or extracting a specially modified ZIP archive. Both flaws stem from the way 7-Zip handles symlinks (aka symlink), which are special files that serve as shortcuts to other directories or resources. A malicious archive can thus “escape” the extraction folder and write files to sensitive system paths, with the possibility of altering and compromising the functioning of Windows, at least potentially. The two flaws received a CVSS score (an index that measures the severity of a vulnerability) of 7 out of 10, which is considered high. To resolve this, you need to update the application to the latest version available.
7-Zip updates to close two serious security flaws
The fixes were introduced as early as July 5th by the 7-Zip developer, Igor Pavlov, who released version 25.00 of the software, but the official disclosure of the problem only came on October 7th, leaving many users unaware of the risk and vulnerable to possible cyber attacks. Since 7-Zip does not have an automatic update mechanism, millions of installations remain vulnerable today.
If you use a version prior to 25.00, to take action all you have to do is download and manually install the latest release from the official website, the one with the version number 25.01 (and we will shortly explain how to do this). For the record, this build also includes bug fixes and minor issues related to the management of RAR and COM archives, although the main reason for installing it remains to close the two security holes.
It is not the first time that 7-Zip has ended up at the center of similar reports. In early 2025, another vulnerability emerged, classified as CVE-2025-0411, which allowed the system to be bypassed Mark-of-the-Web of Windows, a mechanism that marks files downloaded from the Internet as potentially dangerous. Even in that case the problem was solved with a later version, 24.09.
How to update 7-Zip to the latest version available
Returning to the two vulnerabilities we focused on in the article, here are the steps to follow to update 7-Zip to the latest version available.
- Close 7-Zip if it is currently running, to avoid conflicts during the update.
- Go to the official 7-Zip download page, available at this link.
- Click on the Download link corresponding to the version suitable for your operating system: 64-bit Windows x64 for 64-bit Windows (the most common), 32-bit Windows x86, etc.
- Download the corresponding installation file and, if you want more security, run a quick virus scan of the downloaded file.
- Run the .exe file with a double click and confirm administrator permissions when prompted.
- The setup program will detect the previous version and propose the update while maintaining the existing settings: click on Install > Close.
- Restart 7-Zip and verify the update by opening the Help > About 7-Zip menu, making sure the current version is now 25.01.
