A high-severity vulnerability has been discovered in the 7-Zip library, which is used by numerous software products to process ZIP files. This flaw could allow a remote attacker to execute malicious code on a target system by tricking a user or an automated process into opening a specially crafted ZIP archive, potentially leading to a full system compromise.

This vulnerability is a directory traversal combined with a file parsing weakness that leads to remote code execution. An attacker can create a malicious ZIP archive containing file paths with "dot-dot-slash" (../) sequences. When a vulnerable application using the 7-Zip library attempts to extract this archive, it fails to properly sanitize the file paths, allowing the attacker to write arbitrary files outside of the intended extraction directory. By writing a malicious script or executable to a sensitive location (such as a web server's root directory or a system startup folder), the attacker can achieve remote code execution when that file is later processed or executed by the system.

This vulnerability is rated as High severity with a CVSS score of 7. Successful exploitation could lead to a complete compromise of the affected system, allowing an attacker to steal sensitive data, install ransomware, disrupt business operations, or use the compromised machine as a pivot point to attack other internal network resources. The widespread use of the 7-Zip library across many applications means the potential attack surface within an organization could be large, posing a significant risk of data breaches, financial loss, and reputational damage.

Immediate Action: Apply security patches immediately for internet-facing systems and any other critical systems that process ZIP archives. Prioritize systems that automatically ingest and process files from external sources. After patching, monitor for any signs of exploitation attempts and review historical access logs for suspicious archive extraction activity.

Proactive Monitoring: Security teams should monitor for unexpected file creation in sensitive system directories (e.g., C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp, /etc/init.d/, or web application directories). Implement logging and alerting for processes that handle file extraction writing files to unusual locations. Network monitoring can be used to detect command-and-control traffic originating from a potentially compromised host.

Compensating Controls: If immediate patching is not feasible, consider implementing the following controls:

• Use Endpoint Detection and Response (EDR) solutions to detect and block the execution of malicious payloads dropped by the exploit.
• Enforce the principle of least privilege to prevent applications from writing files to sensitive system locations.
• Use application whitelisting to prevent the execution of unauthorized executables in critical directories.
• Deploy a web application firewall (WAF) to inspect and block malicious file uploads to internet-facing applications.

Public Exploit Available: false

Given the high severity (CVSS 7) and the potential for remote code execution, this vulnerability requires immediate attention. Organizations are strongly advised to identify all affected software that utilizes the 7-Zip library and apply the necessary security patches without delay, prioritizing internet-facing and business-critical systems. Although this vulnerability is not currently on the CISA KEV list, its impact makes it a prime candidate for future inclusion. Organizations should treat this as an active threat and accelerate their patch management and monitoring efforts to prevent a potential compromise.