A vulnerability in 7-Zip (versions before 25.01) allows attackers to abuse symbolic links in archive files to write files outside the intended extraction directory.
Severity
Low
CVSS Score
3.6
CVEs
CVE-2025-55188
POC Available
No
Actively Exploited
No
Exploited in Wild
No
Advisory Version
1.0
Overview
This can lead to overwriting sensitive files, potentially enabling code execution or privilege escalation. The flaw is primarily exploitable on Linux systems due to common file permission models but can also impact Windows under specific conditions. Affected archive formats include ZIP, TAR, 7Z and RAR.
The security flaw was reported and discoverd by security researcher lunbun, who identified that 7-Zip fails to properly validate symbolic links when extracting certain archive formats.
Vulnerability Name
CVE ID
Product Affected
Severity
Fixed Version
7-Zip Arbitrary File Write via Symbolic Link Flaw
CVE-2025-55188
7-Zip
Low
25.01 and later.
Technical Summary
Cause: Improper validation of symbolic links during archive extraction.
Attack Vector: Malicious archives can contain symlinks pointing outside the extraction directory.
Impact: Overwrites arbitrary files on the system. On Linux, this can replace startup scripts, configuration files, or binaries to gain elevated privileges. On Windows, exploitation requires write access to target paths.
Affected Formats: ZIP, TAR, 7Z, RAR.
CVE ID
CVSS Score
System Affected
Vulnerability Details
Impact
CVE-2025-55188
3.6
Linux, Windows 7-Zip versions
7-Zip mishandles symbolic links in archives, letting attackers write files anywhere on the system during extraction.
Code execution, Privilege escalation
Recommendations:
Here are some recommendations below
Update 7-Zip to version 25.01 or latest one.
Avoid extracting archives from untrusted sources.
Always consider using sandboxed environments for unknown files extraction.
Conclusion: While CVE-2025-55188 carries a low CVSS score, the real-world impact can be severe in certain environments, especially on Linux systems with high-privilege extraction processes.
Immediate patching to 7-Zip 25.01 or later is strongly advised to mitigate the risk of arbitrary file overwrite attacks.
The researcher has submitted a request for reevaluation of the CVSS score and offered to provide proof-of-concept demonstrations to package repository maintainers who require additional verification.
Summary : Schneider Electric has found critical security flaws in its EcoStruxure IT Data Center Expert software (version 8.3 and earlier) which allow attackers to run harmful codes, steal data or disrupt data center operations. The EcoStruxure IT Data Center is a scalable monitoring solution for data center equipment. Through the web interface the flaw allows unauthenticated remote code execution when HTTP is enabled, though it is disabled by default.
The most severe flaw lets attackers execute commands remotely without logging in and other risks include weak password generation and privilege misuse.
Schneider urges users to upgrade to version 9.0. as a priority, if users are unable to update right now, users should secure their systems by limiting access, disabling unused services, using VPNs and security best practices.
The vulnerabilities have been identified in the system that exposes it to remote takeover, unauthorized access and internal data exposure.
At the core of the risk is a command injection flaw in the web interface, where unsanitized input allows attackers to execute system-level commands without authentication.
Compounding the issue is a weak password generation mechanism that uses low-entropy values, making root credentials easier to predict if installation or update packages are obtained.
Privileged users can also exploit unsafe input handling, specifically in fields like the hostname to inject and execute arbitrary code.
Furthermore, improper validation of internal HTTP requests allows attackers to perform server-side request forgery (SSRF), potentially accessing internal services and sensitive resources without credentials.
CVE ID
CVSS Score
System Affected
Vulnerability Details
Impact
CVE-2025-50121
10.0
Web interface
Allows unauthenticated attackers to run system commands via malicious folder in web interface.
Unauthenticated RCE, full system compromise.
CVE-2025-50122
8.3
Password generation system
Allows unauthenticated attackers to run system commands via malicious folder in web interface.
Root access by reverse-engineering password generation, leading to full control.
CVE-2025-50123
7.2
Server console interface
Allows unauthenticated attackers to run system commands via malicious folder in web interface.
Arbitrary command execution by privileged users, risking internal misuse or escalation
CVE-2025-50125
7.2
HTTP request handler
Attackers manipulate hidden URLs to access internal services or run code without login.
Unauthorized access to internal services, RCE and data exposure.
In addition to the Critical and High Severity vulnerabilities, Two other medium severity issues were addressed.
CVE-2025-50124 – Improper Privilege Management (CVSS 6.9) This issue allows privilege escalation through a setup script by a user already holding elevated access via the console.
CVE-2025-6438 – XML External Entity (XXE) Injection (CVSS 6.8)
Attackers could exploit SOAP API calls to inject malicious XML entities and gain unauthorized file access.
Remediation:
Immediately upgrade to EcoStruxure DCE version 9.0 or the latest one to fix critical security flaws.
Schneider recommends hardening DCE instances per the EcoStruxure IT Data Center Expert Security Handbook and adopting cybersecurity best practices.
Attackers could gain full access, run harmful commands, or steal data. It is strongly advised to update to version 9.0 or apply strict security measures to reduce the risks immediately.
IoT and Evolving Threat landscape
Industrial IoT security threats have evolved from theoretical concerns to active, persistent dangers that target manufacturing operations worldwide.
The convergence of traditional operational technology with modern information technology has created attack vectors that cybercriminals, nation-state actors, and industrial espionage operations actively exploit.
The financial impact of industrial cybersecurity incidents continues to escalate, with the average cost of a manufacturing sector data breach reaching $4.97 million in 2024, not including potential regulatory fines, business interruption losses, and long-term reputation damage.
The security flaws in Schneider’s EcoStruxure IT Data Center Expert software exposes the dynamic threat landscape that may exist in Industrial IoT .
These vulnerabilities in Schneider Electric’s EcoStruxure DCE can seriously affect system security and data center operations.
