CVE-2025-56513
📋 TL;DR
NiceHash QuickMiner 6.12.0 performs software updates over unencrypted HTTP without digital signature validation or hash checks. This allows attackers who can intercept or redirect update traffic to deliver malicious executables that automatically execute, resulting in remote code execution. All users running the vulnerable version are affected.
💻 Affected Systems
- NiceHash QuickMiner
📦 What is this software?
Quickminer by Nicehash
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining complete control over mining systems, enabling cryptocurrency theft, botnet enrollment, or lateral movement within networks.
Likely Case
Cryptocurrency mining malware installation, credential theft, or ransomware deployment on vulnerable systems.
If Mitigated
No impact if updates are disabled or proper network segmentation prevents traffic interception.
🎯 Exploit Status
Exploitation requires man-in-the-middle position or DNS/network redirection capability. Public technical details available in Medium articles.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: No
Instructions:
1. Check for updated version from NiceHash official sources. 2. If available, download and install the patched version. 3. Verify update mechanism now uses HTTPS with signature validation.
🔧 Temporary Workarounds
Disable Auto-Updates
allPrevent the vulnerable update mechanism from running automatically
Check NiceHash QuickMiner settings for auto-update toggle and disable
Block Update URLs
allPrevent the application from reaching update servers
Add firewall rules to block outbound HTTP traffic to NiceHash update domains
🧯 If You Can't Patch
- Segment mining systems on isolated network segments to prevent traffic interception
- Monitor for unexpected outbound HTTP connections to update servers and unexpected process executions
🔍 How to Verify
Check if Vulnerable:
Check if NiceHash QuickMiner version is 6.12.0 or earlier and verify if update traffic uses HTTP instead of HTTPSCheck Version:
Check application interface or about dialog for version informationVerify Fix Applied:
Verify that update mechanism now uses HTTPS and validates digital signatures before installation📡 Detection & Monitoring
Log Indicators:
- HTTP connections to update servers
- Unexpected executable downloads via HTTP
- New processes spawned from update directory
Network Indicators:
- HTTP traffic to NiceHash update domains
- Unencrypted executable downloads
- DNS requests for update servers followed by HTTP downloads
SIEM Query:
Example: (http_method=GET AND url_contains="update" AND dest_ip IN [NiceHash_servers]) OR (process_name="NiceHash" AND child_process_execution)🔗 References
- https://medium.com/@princep49036142/hijacking-the-miner-how-nicehashminers-auto-update-pipeline-enables-zero-click-rce-ed6a36b6769b
- https://medium.com/@princep49036142/hijacking-the-miner-zero-click-rce-in-nicehash-quickminer-cve-2025-56513-4a7190295e6c
- https://medium.com/@princep49036142/hijacking-the-miner-how-nicehashminers-auto-update-pipeline-enables-zero-click-rce-ed6a36b6769b
