Cyber Resilience

CVE-2025-56513

CriticalPublic PoC

Published: 30 September 2025

Published
30 September 2025
Modified
11 May 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0052 67.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-56513 is a critical-severity Download of Code Without Integrity Check (CWE-494) vulnerability in Nicehash Quickminer. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 32.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SC-8 (Transmission Confidentiality and Integrity).

Deeper analysis

CVE-2025-56513 is a critical vulnerability in NiceHash QuickMiner version 6.12.0, where the software performs automatic updates over HTTP without validating digital signatures or performing hash checks on downloaded files. This flaw, classified under CWE-494 (Download of Code Without Integrity Check), allows attackers to compromise the update mechanism, enabling the delivery and execution of malicious executables. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its high severity due to the lack of authentication or integrity verification in the update pipeline.

An attacker capable of intercepting or redirecting network traffic to the update URL—such as through man-in-the-middle attacks on unsecured networks—can hijack the process and substitute legitimate updates with arbitrary executables. These malicious files are automatically executed by the miner software without user interaction, resulting in full remote code execution on the victim's system. No privileges or physical access are required, making it exploitable by remote adversaries over the network with low complexity.

References to the vulnerability include detailed analyses in Medium posts by researcher @princep49036142, which describe the auto-update pipeline's insecurity but do not specify official patches or vendor advisories at the time of publication on 2025-09-30.

EU & UK References

Vulnerability details

NiceHash QuickMiner 6.12.0 perform software updates over HTTP without validating digital signatures or hash checks. An attacker capable of intercepting or redirecting traffic to the update url and can hijack the update process and deliver arbitrary executables that are automatically…

more

executed, resulting in full remote code execution. This constitutes a critical supply chain attack vector. NOTE: the Supplier reports that the existence of an http://update.nicehash.com URL is a fabrication, and that there is no other use of HTTP (rather than HTTPS).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
Why these techniques?

Insecure auto-update over HTTP with no integrity verification directly enables client-side exploitation for code execution (T1203) via malicious file ingress and automatic execution (T1105).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3502Shared CWE-494
CVE-2025-27593Shared CWE-494
CVE-2025-7620Shared CWE-494
CVE-2026-9089Shared CWE-494
CVE-2024-50696Shared CWE-494
CVE-2026-2999Shared CWE-494
CVE-2025-1058Shared CWE-494
CVE-2025-15556Shared CWE-494
CVE-2026-27180Shared CWE-494
CVE-2024-43169Shared CWE-494

Affected Assets

nicehash
quickminer
6.12.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires cryptographic integrity verification of software/firmware before execution, blocking the unsigned malicious update download in this CVE.

prevent

Mandates use of signed components for software updates, directly countering the missing digital signature validation that enables RCE via hijacked HTTP downloads.

prevent

Requires cryptographic protection of transmitted data integrity, preventing MITM interception and tampering of the update payload over HTTP.

References