The open-source file compression utility, 7-Zip, has uncovered a critical security vulnerability, designated as CVE-2025-XXXX, with a CVSS 3.1 severity rating of 8.8. This vulnerability is present in the way 7-Zip handles the opening of compressed files. If an attacker crafts a malicious compressed file and a user opens it—either by double-clicking or using the command line to inspect its contents—the malicious code can execute on systems with 16GB of memory or more. Notably, 7-Zip does not have an automatic update feature, which means it relies on users to manually upgrade the software. Consequently, a significant number of users and servers in production environments are still operating vulnerable versions.

Researchers have estimated that hundreds of millions of devices globally could be at risk, spanning various platforms including Windows, Linux, Mac, and embedded systems. To mitigate this risk, users are strongly advised to update to version 26.01 or higher at the earliest opportunity. Additionally, IT administrators should review their CI/CD scripts and automated processing workflows to ensure they do not inadvertently invoke the vulnerable 7z command line.