CVE Catalog

CVE-2025-56513

Critical
Published: Translated: NVD NIST

Summary

NiceHash QuickMiner version 6.12.0 performs software updates over HTTP without validating digital signatures or hash checks. An attacker capable of intercepting or redirecting traffic to the update URL can hijack the update process and deliver arbitrary executables that are automatically executed, resulting in full remote code execution.

Risk Assessment

This constitutes a critical supply chain attack vector, which could lead to serious security breaches within the organization.

Recommendation

It is recommended that users of NiceHash QuickMiner update to the latest version that uses HTTPS and validates digital signatures of updates.

Original NVD description (English source)

NiceHash QuickMiner 6.12.0 perform software updates over HTTP without validating digital signatures or hash checks. An attacker capable of intercepting or redirecting traffic to the update url and can hijack the update process and deliver arbitrary executables that are automatically executed, resulting in full remote code execution. This constitutes a critical supply chain attack vector. NOTE: the Supplier reports that the existence of an http://update.nicehash.com URL is a fabrication, and that there is no other use of HTTP (rather than HTTPS).

Vulnerability data from NVD (NIST) · CISA KEV · EPSS