CVE-2026-14966 in BBOTinfo

Summary

by MITRE • 07/08/2026

BBOT's unarchive module rejects archives containing symlink entries before extraction, but for zip and 7z archives it failed to detect symlinks whose listing carries a DOS-attribute prefix before the unix mode, as produced by legacy versions of p7zip. Such an archive, downloaded and extracted during a scan (for example via filedownload), bypassed the guard and caused an attacker-controlled symlink to be written into the extraction directory. The effect is limited to planting the symlink (its target is not written through), and only hosts using such a legacy p7zip build are affected; current mainline 7-Zip is not.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/08/2026

The vulnerability in BBOT's unarchive module represents a path traversal weakness that stems from inadequate symlink detection mechanisms within archive processing routines. This flaw specifically affects zip and 7z archive handling where the system fails to properly identify symbolic links that contain DOS attribute prefixes in their listings. The issue arises from legacy compatibility considerations where older versions of p7zip format symlink entries with additional metadata that current detection logic does not account for, creating a bypass mechanism that allows maliciously crafted archives to evade security controls.

The technical implementation flaw exists in the archive parsing logic where BBOT's unarchive module performs validation checks before extraction but relies on insufficient pattern matching for symlink identification. When processing archives created by legacy p7zip implementations, the system encounters symlink entries with DOS attribute prefixes followed by unix mode information, which are not recognized as symbolic link indicators by the current validation routine. This parsing inconsistency allows attackers to craft malicious archives that contain symlink entries formatted in this legacy manner, effectively circumventing the intended security guard designed to prevent symlink injection during extraction processes.

The operational impact of this vulnerability is significant within the context of automated security scanning operations where BBOT processes potentially malicious files downloaded during reconnaissance activities. When such archives are encountered during a scan, particularly those downloaded through filedownload mechanisms, the bypassed symlink detection allows attackers to plant symbolic links in the extraction directory without triggering the protective measures. While the immediate effect is limited to symlink creation rather than arbitrary file writing, this still represents a path traversal vector that could be exploited for directory traversal attacks or to manipulate the filesystem structure in ways that might interfere with subsequent operations.

From a cybersecurity perspective, this vulnerability aligns with CWE-22 Path Traversal and CWE-310 Cryptographic Issues, though it specifically manifests as a validation bypass rather than direct cryptographic weakness. The ATT&CK framework categorizes this under T1059 Command and Scripting Interpreter and T1078 Valid Accounts, as it enables attackers to manipulate filesystem structures in ways that could facilitate further exploitation or establish persistence mechanisms within the target environment. The vulnerability's limited scope means it only affects systems running legacy p7zip builds, but this restriction does not eliminate the security risk given that many older systems may still be in operation.

The primary mitigation strategy involves updating all affected systems to use current versions of 7-Zip that properly handle symlink detection regardless of format variations. Organizations should also implement additional validation layers within their archive processing pipelines to detect anomalous file attributes and ensure that any symlink entries, regardless of their formatting, are properly handled. Network segmentation and access controls around extraction directories can further limit the potential impact, while regular security audits should verify that all system components are running supported versions that do not contain known vulnerabilities in their archive handling capabilities.

Responsible

BLSOPS

Reservation

07/07/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!