7PAA023732
ABB is aware of public reports of vulnerabilities in 7-Zip version 18.5 and Microsoft Azure Data Studio version 1.32 included in the product versions listed as affected in the advisory. The vulnerability in 7-Zip can be exploited if attacker gains control over the system and extracts a malicious file using this version of 7-Zip. Otherwise, the attacker must force the user to visit malicious websites or click links and extract the package through 7-zip. Microsoft Azure Data Studio gets installed along with SQL Server Management Studio. An attacker who successfully exploits vulnerability in Microsoft Azure Data studio may compromise the security of the product by gaining privileges, reading sensitive information, executing commands, evading detection, etc. if the Authentication, Authorization and Accountability is not configured properly in the system. However, none of the products listed above uses Microsoft Azure Data Studio. Microsoft Azure Data Studio is automatically removed from the system from System 800xA 7.0 onwards. These vulnerabilities may appear when the product media is scanned. However, they can only be ex-ploited if the vulnerable software is installed on the system. For this reason, it is strongly advised to uninstall outdated or vulnerable versions of third-party software immediately.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| ABB Application Change Management <=6.2 | ||
| ABB 800xA for Symphony Plus Harmony <=6.2 | ||
| ABB 800xA History <=7.0 | ||
| ABB Batch Management <=6.2 | ||
| ABB 800xA for AC 870P Melody <=6.2 | ||
| ABB Production Response Batch History <=6.2 |
Exploit Intelligence
- rasan2001/CVE-2022-29072 (github-poc-repo)
- Proof-of-concept of CVE-2025-55188: 7-Zip arbitrary file write (github-poc-repo)
- Proof-of-concept of CVE-2025-55188: 7-Zip arbitrary file write (github-poc)
- 7z exploit POC versions prior to 25.01 (github-poc)
- Exploit for CVE-2025-11001 (github-poc)
- ranasen-rat/CVE-2025-11001 (github-poc)
- CVE-2025-11001 (CVSS 7.0) – 7-Zip < 25.00 Directory Traversal → RCE via crafted ZIP with symlink. Allows arbitrary file write when extracted as Administrator. Fixed in 7-Zip 25.00 (July 2025). (github-poc)
- lastvocher/7zip-CVE-2025-11001 (github-poc)
- Exploit for CVE-2025-11001 or CVE-2025-11002 (github-poc)
- Rust Macros No Recoil Guide 🚀 Boost Aim Like a Pro in C and Python (github-poc)
…and 38 more exploits
Timeline
- Feb 6, 2025 PoC Published
- Feb 16, 2025 PoC Published
- Mar 26, 2025 PoC Published
- Nov 22, 2025 PoC Published
- Mar 31, 2026 CVE Published
- May 22, 2026 CVE Updated
References
- https://search.abb.com/library/Download.aspx?DocumentID=7PAA023732&LanguageCode=en&DocumentPartId=&Action=Launch advisory
- https://psirt.abb.com/csaf/2026/7paa023732.json advisory
- https://library.abb.com/d/3BDS011222D7000 url
- https://library.abb.com/d/3BSE034463D7000 url
- https://library.abb.com/d/3BSE037410D7000 url
- https://library.abb.com/d/3BSE080520D7000 url