#VU116709 Path traversal in 7-Zip - CVE-2025-11002
Published: October 8, 2025 / Updated: October 24, 2025
Vulnerability identifier: #VU116709
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
CVE-ID: CVE-2025-11002
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
7-Zip
7-Zip
Software vendor:
7-zip.org
7-zip.org
Description
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences within the handling of symbolic links in ZIP files. A remote attacker can send a specially crafted HTTP request and upload arbitrary files on the system, leading to arbitrary code execution.
Remediation
Install updates from vendor's website.