Malware Remover
CVE-2025-11837
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
An improper control of generation of code vulnerability has been reported to affect Malware Remover. The remote attackers can then exploit the vulnerability to bypass protection mechanism.
We have already fixed the vulnerability in the following version: Malware Remover 6.6.8.20251023 and later
AnalysisAI
QNAP Malware Remover before 6.6.8.20251023 has a code generation vulnerability that allows remote attackers to bypass the protection mechanism. An ironic vulnerability in a security tool that is supposed to protect QNAP NAS devices.
Technical ContextAI
The malware removal tool itself contains a code injection flaw (CWE-94) that allows remote attackers to bypass its protection mechanism. This effectively turns a defensive tool into an attack vector. NAS devices are high-value targets containing user data and often running 24/7 with network exposure.
RemediationAI
Update to Malware Remover 6.6.8.20251023 or later via QNAP App Center. Restrict NAS access from the internet. Enable QNAP Security Counselor for additional monitoring.
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today