Cyber Resilience

CVE-2025-11837

HighRCE

Published: 02 January 2026

Published
02 January 2026
Modified
22 January 2026
KEV Added
Patch
CVSS Score v4 8.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0139 68.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-11837 is a high-severity Code Injection (CWE-94) vulnerability in Qnap Malware Remover. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 31.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2025-11837 is an improper control of generation of code vulnerability (CWE-94) affecting QNAP's Malware Remover software. Published on 2026-01-02, it enables remote attackers to bypass the software's protection mechanism, earning a critical CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows bypassing Malware Remover's protection mechanisms, potentially leading to high impacts on confidentiality, integrity, and availability.

QNAP has addressed the issue in Malware Remover version 6.6.8.20251023 and later releases. Additional mitigation details are available in security advisory QSA-25-47 at https://www.qnap.com/en/security-advisory/qsa-25-47.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An improper control of generation of code vulnerability has been reported to affect Malware Remover. The remote attackers can then exploit the vulnerability to bypass protection mechanism. We have already fixed the vulnerability in the following version: Malware Remover 6.6.8.20251023…

more

and later

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1211 Exploitation for Stealth Stealth
Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components.
T1685 Disable or Modify Tools Defense Impairment
Adversaries may disable, degrade, or tamper with security tools or applications (e.
Why these techniques?

Vulnerability in public-facing Malware Remover (AV:N) enables exploitation of public-facing application (T1190), specifically for defense evasion by bypassing security tool protections (T1211, T1562.001), with critical RCE-like impacts.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-13086Same product class: NAS / storage appliance
CVE-2025-30276Same product class: NAS / storage appliance
CVE-2025-29894Same product class: NAS / storage appliance
CVE-2025-52870Same product class: NAS / storage appliance
CVE-2025-59385Same product class: NAS / storage appliance
CVE-2025-62849Same product class: NAS / storage appliance
CVE-2026-22898Same product class: NAS / storage appliance
CVE-2025-47206Same product class: NAS / storage appliance
CVE-2025-52425Same product class: NAS / storage appliance
CVE-2025-59389Same product class: NAS / storage appliance

Affected Assets

qnap
malware remover
6.6.3 — 6.6.8.20251023

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely patching of the improper code generation flaw in Malware Remover to the fixed version 6.6.8.20251023.

prevent

Prevents exploitation of the CWE-94 code injection vulnerability by validating all inputs used in dynamic code generation within Malware Remover.

prevent

Mitigates potential arbitrary code execution from the improper code generation by enforcing memory protections like DEP and ASLR in the affected system.

References