CVE-2025-11837

CRITICAL EXPLOITED

QNAP Malware Remover < 6.6.8.20251023 - Code Injection

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-11837 has been observed exploited in the wild (reported by VulnCheck KEV).

Description

An improper control of generation of code vulnerability has been reported to affect Malware Remover. The remote attackers can then exploit the vulnerability to bypass protection mechanism. We have already fixed the vulnerability in the following version: Malware Remover 6.6.8.20251023 and later

References (1)

Core 1
Core References

Scores

CVSS v3 9.8
EPSS 0.0144
EPSS Percentile 70.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2026-06-17
CWE
CWE-94
Status published
Products (1)
qnap/malware_remover 6.6.3 - 6.6.8.20251023
Published Jan 02, 2026
Tracked Since Feb 18, 2026