CVE-2025-11002

High

Published: 23 January 2026

Published

23 January 2026

Modified

26 February 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0013 31.6th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-11002 is a high-severity Path Traversal (CWE-22) vulnerability in 7-Zip 7-Zip. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 31.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Malicious File (T1204.002). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely flaw remediation ensures the specific ZIP parsing directory traversal vulnerability in 7-Zip is patched, directly preventing exploitation.

SI-10 Information Input Validation good match

prevent

Information input validation during ZIP file processing checks and sanitizes pathnames and symbolic links, comprehensively blocking directory traversal to unintended locations.

SI-3 Malicious Code Protection partial match

preventdetect

Malicious code protection scans ZIP files for crafted payloads or exploits, mitigating RCE attempts by blocking or quarantining malicious archives before extraction.

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

Malicious ZIP archive with crafted symlinks exploits 7-Zip path traversal to achieve RCE after user opens the file.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this product is required to exploit this vulnerability but attack vectors may vary depending…

on the implementation. The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of a service account. Was ZDI-CAN-26743.

Deeper analysisAI

CVE-2025-11002 is a ZIP file parsing directory traversal vulnerability that enables remote code execution in affected installations of 7-Zip. The flaw resides in the handling of symbolic links within ZIP files, where crafted data can cause the process to traverse to unintended directories. This issue, tracked as ZDI-CAN-26743, carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is associated with CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).

The vulnerability can be exploited by remote attackers who trick users into interacting with a malicious ZIP file using 7-Zip, as exploitation requires user interaction though attack vectors may vary by implementation. No privileges are needed (PR:N), and the low attack complexity (AC:L) combined with local access vector (AV:L) makes it feasible in scenarios where victims process untrusted archives. Successful exploitation allows arbitrary code execution in the context of a service account.

The Zero Day Initiative advisory (ZDI-25-950) provides further details on the vulnerability at https://www.zerodayinitiative.com/advisories/ZDI-25-950/.