CVE-2025-56513

CRITICAL

Nicehash Quickminer - Download Without Integrity Check

Title source: rule

Description

NiceHash QuickMiner 6.12.0 perform software updates over HTTP without validating digital signatures or hash checks. An attacker capable of intercepting or redirecting traffic to the update url and can hijack the update process and deliver arbitrary executables that are automatically executed, resulting in full remote code execution. This constitutes a critical supply chain attack vector.

Exploits (1)

nomisec WRITEUP

by psycho-prince · poc

https://github.com/psycho-prince/CVE-2025-56513-NiceHash-Update-Chain-Compromise

View Code ZIP pw:eip

References (2)

[Exploit] https://medium.com/@princep49036142/hijacking-the-miner-how-nicehashminers-auto-update-pipeline-enables-zero-click-rce-ed6a36b6769b

[Third Party Advisory] https://medium.com/@princep49036142/hijacking-the-miner-zero-click-rce-in-nicehash-quickminer-cve-2025-56513-4a7190295e6c

Scores

CVSS v3 9.8

EPSS 0.0031

EPSS Percentile 53.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-494

Status published

Products (1)

nicehash/quickminer 6.12.0

Published Sep 30, 2025

Tracked Since Feb 18, 2026