Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-11001 PoC — 7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability

Source
https://github.com/lastvocher/7zip-CVE-2025-11001
Associated Vulnerability
Title:7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability (CVE-2025-11001)
Description:7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this product is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of a service account. Was ZDI-CAN-26753.
Readme
# Usage:

```
python3 exploit.py -t "C:\Users\pac\Desktop" -o demo.zip --data-file calc.exe
```

# Exploiting 7-zip

The vulnerability is only exploitable on windows and has one major caveat.The bug can only be exploited when 7-Zip is ran with Admin privileges for this vulnerability to be succesfully exploited. This is because it the 7-zip process creates a symlink, which is a privileged operation on windows. 

Hence the exploitation only makes sense when 7-Zip is used by a service account.

You can find more info about the vulnerability in my blog post [https://pacbypass.github.io/2025/10/16/diffing-7zip-for-cve-2025-11001.html](https://pacbypass.github.io/2025/10/16/diffing-7zip-for-cve-2025-11001.html)

Vulnerable versions: 21.02 - 25.00
File Snapshot

 [4.0K]  /data/pocs/db0ec0ced5bf0321b5c0825be6f225844f1988ea
├── [2.3K]  exploit.py
└── [ 751]  README.md

1 directory, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →