UK’s trusted IT infrastructure partner since 2003
Servnet
FinanceToolsConfiguratorGet in Touch
Cyber security

7-Zip RCE Vulnerability Patch 2026: Update Now

London · Servnet News Desk · IT infrastructure analysis4 min read
Share

A critical remote code execution flaw in 7-Zip, one of the most widely deployed archive utilities on Windows estates across the UK, has been fixed in version 26.02. Because effective patch management for 7-Zip is entirely manual, thousands of UK organisations are quietly exposed until IT teams act.

CVSS Severity: Recent 7-Zip RCE Flaws Compared
10 CVSS8 CVSS5 CVSS3 CVSS0 CVSS7 CVSSCVE-2025-110018.8 CVSSCVE-2026-48095CVSS Score
View the data behind this chart
CVSS Severity: Recent 7-Zip RCE Flaws Compared
CVE-2025-11001CVE-2026-48095
CVSS ScoreCVSS7CVSS8.8

What happened, and why it matters to UK infrastructure teams

7-Zip 26.02, released to fix a heap-based buffer overflow in the way the tool processes XZ-compressed data, closes a vulnerability now tracked as CVE-2026-48095 with a CVSS score of 8.8, placing it firmly in the critical band. The flaw was disclosed by researcher Landon Peng of Lunbun via the Zero Day Initiative, and it allows an attacker to execute arbitrary code as the logged-in user simply by getting them to open a specially crafted archive or, in some scenarios, visit a malicious page.

For UK buyers, the relevance is structural rather than exotic. 7-Zip sits inside countless build pipelines, backup export routines, file-transfer workflows and helpdesk toolkits precisely because it is free, open-source and near-universal on Windows servers and workstations. That ubiquity is exactly what makes it an attractive delivery mechanism for attackers running phishing or social-engineering campaigns against UK organisations.

Why archive tools are a soft target for backup and file distribution teams

The attack path here does not require the victim to extract the archive; simply opening it can be enough, which puts anyone handling inbound compressed files, invoices, CVs, supplier documents, backup export packages, at risk. Teams managing robust backup and disaster recovery plans should treat this as a reminder that archive-handling infrastructure is itself part of the attack surface, not just a neutral utility sitting behind the backup job.

This is not a theoretical concern. Earlier 7-Zip flaws have already been weaponised: in early 2025, Russian threat actors exploited a 7-Zip vulnerability that bypassed Windows' Mark of the Web protections as a zero-day, and later that year a separate WinRAR flaw, CVE-2025-8088, was used in phishing attacks to install the RomCom malware. Archive-tool exploitation has a track record, and CVE-2026-48095 gives attackers a fresh critical-severity opportunity to repeat the pattern.

No auto-update means this patch will not fix itself

Unlike most enterprise software, 7-Zip has no built-in automatic update mechanism. That single fact turns a routine vendor fix into an operational task that UK infrastructure and security teams must actively drive: identifying every install, downloading version 26.02 directly from the official 7-zip.org site, and pushing it out through managed deployment tools rather than waiting for end users to notice.

This is a good moment to stress-test vulnerability management strategies around software that lacks self-updating capability. Asset inventories that don't specifically track 7-Zip versions across servers, VMs, golden images and endpoint fleets will miss this exposure entirely, and legacy or shadow installs bundled inside other software packages are easy to overlook.

Illustration: 7-Zip RCE Vulnerability Patch 2026: Update Now

Watch out for fake installers exploiting the update rush

Adding urgency without adding caution can backfire. A separate campaign, tracked as upStage Proxy, has already been observed distributing residential proxy malware via a lookalike domain designed to mimic the legitimate 7-Zip site. Any organisation pushing staff to "update 7-Zip now" should point them explicitly to 7-zip.org and route deployment through verified internal channels, not search-engine links, to avoid trading one risk for another.

What this means for wider security posture

No active exploitation of CVE-2026-48095 has been reported at the time of disclosure, which gives UK teams a genuine window to patch before attackers weaponise it, unlike the earlier CVE-2025-11001 case, initially reported by NHS England Digital as under active exploitation before that assessment was corrected. That window won't stay open indefinitely once a public proof-of-concept or exploit module appears.

Because exploitation relies on user interaction rather than a network-facing service, this flaw sits well within the remit of managed detection & response and endpoint controls that can catch anomalous process behaviour even where patching has lagged. Organisations building out zero trust architectures should also treat archive-opening applications as a legitimate control point, since the flaw's dependence on user interaction makes it a natural fit for application allow-listing and sandboxed extraction policies.

Practical next steps for infrastructure buyers

Given the manual patching burden, UK IT and security leads should prioritise a short, structured rollout rather than treating this as a routine background update. Pair the patch cycle with a review of how archive files are received, scanned and opened across the business, and confirm that ransomware protection tooling is configured to flag suspicious archive-based payloads regardless of patch status.

  • Inventory every 7-Zip install across servers, VMs, golden images and endpoints
  • Download version 26.02 only from the official 7-zip.org site
  • Deploy via managed software distribution rather than relying on end users
  • Brief helpdesk and security teams on the fake-installer risk before rollout
  • Review backup and file-distribution workflows that ingest archives from external sources
Share
Key takeaways
  • 7-Zip 26.02 patches CVE-2026-48095, a critical (CVSS 8.8) RCE flaw in XZ archive processing.
  • Exploitation needs only user interaction, opening a malicious archive can be enough, no extraction required.
  • 7-Zip has no auto-update feature, so UK IT teams must manually deploy the fix across every affected machine.
  • No active exploitation is reported yet, but past 7-Zip and WinRAR flaws have both been weaponised in real attacks.
Frequently asked

FAQs — 7-Zip RCE Vulnerability Patch 2026

What is CVE-2026-48095?

It's a critical remote code execution vulnerability (CVSS 8.8) in 7-Zip's handling of XZ-compressed data, fixed in version 26.02, that lets attackers run arbitrary code via a specially crafted archive.

Does 7-Zip update itself automatically?

No. 7-Zip has no built-in auto-update mechanism, so UK organisations must manually download and deploy version 26.02 from 7-zip.org, making this a task for effective patch management processes rather than passive vendor updates.

Is this vulnerability being actively exploited?

No reports of active exploitation had emerged at the time of disclosure, though similar archive-tool flaws in 7-Zip and WinRAR have previously been used in real-world phishing and malware campaigns.

What should backup and file-distribution teams do first?

Inventory all 7-Zip installations touching backup exports, file transfers or shared archives, patch to 26.02 from the official site, and review how robust backup and disaster recovery plans handle inbound compressed files.

Related

Turning this into a buying decision?

One conversation with an engineer who's specced this before. No sales script.

Talk to Servnet →

Talk to a UK specialist

Get expert advice or a no-obligation quote — servers, storage, networking, maintenance, finance and cloud. We reply the same working day.

or call 0800 987 4111