Hello,
Maybe someone read this article:
http://blog.checkpoint.com/2017/05/23/hacked-in-translation/
It seems that in OpenPLI unzip version from busybox is used.
This version of unzip does not have protection for "Directory traversal vulnerability".
It means that it "allows to overwrite or create arbitrary files via relative filenames and thus executing malicious code, e.g. by writing to /etc/ld.so.preload, ~/.bashrc etc."
In full unzip version this was fixed in 2003-07-11, unzip-5.50-r2:
http://www.linuxsecurity.com/content/view/105186/104/
So, I strongly recommended to disable applet unzip in busybox configuration and use full unzip utility.
Regards,
SSS