CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-56513

CVSS 9.8v3.1pub. 2025-09-30upd. 2026-05-11

NiceHash QuickMiner 6.12.0 perform software updates over HTTP without validating digital signatures or hash checks. An attacker capable of intercepting or redirecting traffic to the update url and can hijack the update process and deliver arbitrary executables that are automatically executed, resulting in full remote code execution. This constitutes a critical supply chain attack vector. NOTE: the Supplier reports that the existence of an http://update.nicehash.com URL is a fabrication, and that there is no other use of HTTP (rather than HTTPS).

🤖 AI Analysis
How it works

According to the vulnerability report, the application's automatic update mechanism uses an unencrypted HTTP protocol, allowing an attacker positioned on the network path (man-in-the-middle) to intercept or redirect traffic to the update URL. The lack of digital signature verification or checksum verification of the downloaded file means that a substituted executable file would be installed and run automatically without any integrity checks. This would result in complete arbitrary code execution (RCE) on the user's machine without their interaction (zero-click). However, the vendor denies in a CVE note that the http://update.nicehash.com address even exists and claims that the application does not use HTTP instead of HTTPS.

Impact

An attacker could gain full control over the victim's system by executing arbitrary code with the privileges of the updater process, potentially enabling malware installation, data theft, or hijacking of computing resources.

Mitigation & patch

Apply patches available from the vendor according to the references. Due to the vendor's objection to the described attack vector, it is recommended to verify with the supplier (NiceHash) whether the software version in use truly uses only HTTPS for downloading updates. Until the dispute is clarified, it is recommended to monitor network traffic generated by the application.

Who is affected

NiceHash QuickMiner version 6.12.0 (according to the report description; vendor contests the described attack vector)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Nicehash Quickminer

    APP
    Nicehash
    6.12.0
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2019-6120HIGH7.5ten sam vendor

An issue was discovered in NiceHash Miner before 2.0.3.0. A missing rate limit while adding a wallet via Email...

CVE-2019-6121LOW3.7ten sam vendor

An issue was discovered in NiceHash Miner before 2.0.3.0. Missing Authorization allows an adversary to can gai...

CVE-2019-6122LOW3.1ten sam vendor

A Username Enumeration via Error Message issue was discovered in NiceHash Miner before 2.0.3.0 because an "EMA...