7Zip Vulnerability Lets Hackers Write Files and Run Malicious Code

pA security vulnerability has been discovered in the popular 7Zip file compression utility that could allow attackers to write arbitrary files to victim systems and potentially execute malicious codeppThe flaw tracked as CVE202555188 affects all versions of 7Zip prior to the recently released version 2501 and stems from improper handling of symbolic links during archive extractionppThe security flaw was discovered and reported by security researcher lunbun who identified that 7Zip fails to properly validate symbolic links when extracting certain archive formatsppThis weakness enables maliciously crafted archives to create unsafe symbolic links that the extraction process then follows leading to arbitrary file write capabilities on the target systemppThe vulnerability primarily affects Linux systems where 7Zip versions prior to 2501 are used to extract archives supporting symbolic links including popular formats such as ZIP TAR 7Z and RAR filesppWindows systems can also be exploited but additional conditions must be met such as running the extraction process with Administrator privileges or having Windows Developer Mode enabled to allow symbolic link creationppAccording to the researchers analysis attackers can leverage this arbitrary file write capability to achieve unauthorized access and code execution by overwriting sensitive system filesppPotential attack scenarios include replacing SSH keys modifying shell configuration files like bashrc or overwriting other critical system components that could grant persistent access to compromised systemsppThe researcher emphasizes that a single malicious archive extraction could trigger multiple exploitation attempts allowing attackers several opportunities to write to sensitive file locations during the extraction processppNotably the vulnerabilitys discoverer has expressed concerns about the official CVSS severity rating of 27 arguing that MITRE has significantly underreported the vulnerabilitys true impactppThe researcher has submitted a request for reevaluation of the CVSS score and offered to provide proofofconcept demonstrations to package repository maintainers who require additional verificationppUsers are strongly advised to immediately update to 7Zip version 2501 which includes a fix for this vulnerabilityppIgor Pavlov the 7Zip maintainer responded quickly to implement the necessary security patch Organizations should prioritize this update particularly on Linux systems where the vulnerability is more easily exploitableppUntil systems can be updated users should exercise extreme caution when extracting archives from untrusted sources and consider using alternative extraction tools for suspicious filesppFind this News Interesting Follow us on Google News LinkedIn and X to Get Instant UpdatesppHot this weekppGBHackers on Security is a top cybersecurity news platform delivering uptodate coverage on breaches emerging threats malware vulnerabilities and global cyber incidentsppCompanyppTrendingppCategoriesppCopyright 2016 2025 GBHackers On Security All Rights Reservedp