A critical remote code execution flaw in 7-Zip, one of the most widely deployed archive utilities on Windows estates across the UK, has been fixed in version 26.02. Because effective patch management for 7-Zip is entirely manual, thousands of UK organisations are quietly exposed until IT teams act.
View the data behind this chart
| CVE-2025-11001 | CVE-2026-48095 | |
|---|---|---|
| CVSS Score | CVSS7 | CVSS8.8 |
What happened, and why it matters to UK infrastructure teams
7-Zip 26.02, released to fix a heap-based buffer overflow in the way the tool processes XZ-compressed data, closes a vulnerability now tracked as CVE-2026-48095 with a CVSS score of 8.8, placing it firmly in the critical band. The flaw was disclosed by researcher Landon Peng of Lunbun via the Zero Day Initiative, and it allows an attacker to execute arbitrary code as the logged-in user simply by getting them to open a specially crafted archive or, in some scenarios, visit a malicious page.
For UK buyers, the relevance is structural rather than exotic. 7-Zip sits inside countless build pipelines, backup export routines, file-transfer workflows and helpdesk toolkits precisely because it is free, open-source and near-universal on Windows servers and workstations. That ubiquity is exactly what makes it an attractive delivery mechanism for attackers running phishing or social-engineering campaigns against UK organisations.
Why archive tools are a soft target for backup and file distribution teams
The attack path here does not require the victim to extract the archive; simply opening it can be enough, which puts anyone handling inbound compressed files, invoices, CVs, supplier documents, backup export packages, at risk. Teams managing robust backup and disaster recovery plans should treat this as a reminder that archive-handling infrastructure is itself part of the attack surface, not just a neutral utility sitting behind the backup job.
This is not a theoretical concern. Earlier 7-Zip flaws have already been weaponised: in early 2025, Russian threat actors exploited a 7-Zip vulnerability that bypassed Windows' Mark of the Web protections as a zero-day, and later that year a separate WinRAR flaw, CVE-2025-8088, was used in phishing attacks to install the RomCom malware. Archive-tool exploitation has a track record, and CVE-2026-48095 gives attackers a fresh critical-severity opportunity to repeat the pattern.
No auto-update means this patch will not fix itself
Unlike most enterprise software, 7-Zip has no built-in automatic update mechanism. That single fact turns a routine vendor fix into an operational task that UK infrastructure and security teams must actively drive: identifying every install, downloading version 26.02 directly from the official 7-zip.org site, and pushing it out through managed deployment tools rather than waiting for end users to notice.
This is a good moment to stress-test vulnerability management strategies around software that lacks self-updating capability. Asset inventories that don't specifically track 7-Zip versions across servers, VMs, golden images and endpoint fleets will miss this exposure entirely, and legacy or shadow installs bundled inside other software packages are easy to overlook.

Watch out for fake installers exploiting the update rush
Adding urgency without adding caution can backfire. A separate campaign, tracked as upStage Proxy, has already been observed distributing residential proxy malware via a lookalike domain designed to mimic the legitimate 7-Zip site. Any organisation pushing staff to "update 7-Zip now" should point them explicitly to 7-zip.org and route deployment through verified internal channels, not search-engine links, to avoid trading one risk for another.
What this means for wider security posture
No active exploitation of CVE-2026-48095 has been reported at the time of disclosure, which gives UK teams a genuine window to patch before attackers weaponise it, unlike the earlier CVE-2025-11001 case, initially reported by NHS England Digital as under active exploitation before that assessment was corrected. That window won't stay open indefinitely once a public proof-of-concept or exploit module appears.
Because exploitation relies on user interaction rather than a network-facing service, this flaw sits well within the remit of managed detection & response and endpoint controls that can catch anomalous process behaviour even where patching has lagged. Organisations building out zero trust architectures should also treat archive-opening applications as a legitimate control point, since the flaw's dependence on user interaction makes it a natural fit for application allow-listing and sandboxed extraction policies.
Practical next steps for infrastructure buyers
Given the manual patching burden, UK IT and security leads should prioritise a short, structured rollout rather than treating this as a routine background update. Pair the patch cycle with a review of how archive files are received, scanned and opened across the business, and confirm that ransomware protection tooling is configured to flag suspicious archive-based payloads regardless of patch status.
- •Inventory every 7-Zip install across servers, VMs, golden images and endpoints
- •Download version 26.02 only from the official 7-zip.org site
- •Deploy via managed software distribution rather than relying on end users
- •Brief helpdesk and security teams on the fake-installer risk before rollout
- •Review backup and file-distribution workflows that ingest archives from external sources
- 01BleepingComputer — Update now: 7-Zip fixes RCE flaw exploitable with malicious archives · 18 July 2026
- 02Tom's Hardware — Wide-ranging 7-Zip vulnerability with 8.8 CVE rating allows for code execution · 18 July 2026
- 03The Hacker News — Threatsday Bulletin: AI Prompt RCE · 1 February 2026
- 04The Hacker News — Hackers actively exploiting 7-Zip · 1 November 2025
- 05The Hacker News — Weekly Recap: new Linux flaw, PAN-OS · 1 June 2026
