A significant vulnerability has been discovered in 7-Zip, a widely used file-compression tool. Identified as CVE-2025-11001, this flaw poses a high risk to users, prompting a warning from NHS England Digital. While no active exploitation has been confirmed, a public proof-of-concept (PoC) exploit raises concerns about potential future attacks. The vulnerability, found by Ryota Shiga from GMO Flatt Security Inc., relates to how older versions of 7-Zip manage symbolic links in ZIP files. This Directory Traversal RCE flaw could allow attackers to execute arbitrary code by tricking the software into accessing unauthorized system directories during file extraction. The situation worsened when security researcher Dominik shared a working exploit publicly, making it easier for cybercriminals to launch attacks. This vulnerability specifically affects Windows systems and is most dangerous when files are extracted with high-level accounts, potentially leading to full system takeovers. Microsoft has flagged ongoing malicious activities associated with this vulnerability, indicating that the public exploit is being utilized in malware campaigns. To mitigate the risk, users must update to version 25.00 or later, released in July 2025. However, 7-Zip lacks an automatic update feature, meaning users need to manually check and install the latest version. Many systems might still be using vulnerable versions, as updates require user intervention or enterprise management tools. Users should locate any 7-Zip installations older than version 25.00 on their Windows machines and update to the current version, 25.01, available on 7-Zip’s official website.