CVE-2025-11837
published 2026-01-02CVE-2025-11837: An improper control of generation of code vulnerability has been reported to affect Malware Remover. The remote attackers can then exploit the vulnerability to…
PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
1.44%
69.8th percentile
An improper control of generation of code vulnerability has been reported to affect Malware Remover. The remote attackers can then exploit the vulnerability to bypass protection mechanism.
We have already fixed the vulnerability in the following version:
Malware Remover 6.6.8.20251023 and later
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| qnap | malware_remover | >= 6.6.3 < 6.6.8.20251023 | 6.6.8.20251023 |
| qnap_systems_inc | malware_remover | >= 6.6.x < 6.6.8.20251023 | 6.6.8.20251023 |
Detection & IOCsextracted from sources · hover to see the quote
- →Hunt for outbound HTTP/HTTPS connections carrying Protobuf-encoded, XOR-obfuscated traffic (Go NAS build additionally gzip-compressed) to AryStinger C2 infrastructure including ajb8.com. ↗
- →Detect Dropbear SSH listener on non-standard port 2332 on router devices as a persistence indicator for AryStinger infection. ↗
- →Alert on presence of unexpected binaries under /tmp/bin on Linux-based router or NAS devices. ↗
- →Alert on running processes named syswapd0h or syswapd0w as indicators of AryStinger compromise. ↗
- →Monitor for execution of open-source recon tools fscan, ksubdomain, and httpx on NAS devices, which are integrated into the AryStinger NAS build. ↗
- ·The 4,300 infection count covers only RTL819X router nodes; QNAP NAS infections via CVE-2025-11837 have not been measured by XLab, so the true total is unknown. ↗
- ·The hardcoded key 'sh_#@!_2024_secret' contains '2024', possibly indicating an earlier campaign start date, but XLab cannot confirm this. ↗
- ·CVE-2025-11837 was patched by QNAP in Malware Remover 6.6.8.20251023 (November 2025), months before AryStinger began exploiting it in April 2026; unpatched devices remain at risk. ↗
- ·AryStinger has not been attributed to any known threat actor; attribution remains an open investigation. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.1HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-92w4-hf76-4gwf: An improper control of generation of code vulnerability has been reported to affect Malware Remover
ghsa_unreviewed·2026-01-02
CVE-2025-11837 [HIGH] CWE-94 GHSA-92w4-hf76-4gwf: An improper control of generation of code vulnerability has been reported to affect Malware Remover
An improper control of generation of code vulnerability has been reported to affect Malware Remover. The remote attackers can then exploit the vulnerability to bypass protection mechanism.
We have already fixed the vulnerability in the following version:
Malware Remover 6.6.8.20251023 and later
VulnCheck
QNAP malware_remover Improper Control of Generation of Code ('Code Injection')
vulncheck·2025·CVSS 9.8
CVE-2025-11837 [CRITICAL] QNAP malware_remover Improper Control of Generation of Code ('Code Injection')
QNAP malware_remover Improper Control of Generation of Code ('Code Injection')
An improper control of generation of code vulnerability has been reported to affect Malware Remover. The remote attackers can then exploit the vulnerability to bypass protection mechanism.
We have already fixed the vulnerability in the following version:
Malware Remover 6.6.8.20251023 and later
Affected: QNAP malware_remover
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.xlab.qianxin.com/arystinger-botnet-hijacks-legacy-routers-for-global-attacks-en/
No detection rules found.
No public exploits indexed.
Hackernews
AryStinger Malware Infects 4,300 Legacy Routers to Build Reconnaissance Proxy Network
blogs_hackernews·2026-06-22·CVSS 8.3
CVE-2013-3307 [HIGH] AryStinger Malware Infects 4,300 Legacy Routers to Build Reconnaissance Proxy Network
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## AryStinger Malware Infects 4,300 Legacy Routers to Build Reconnaissance Proxy Network
A new malware family is turning forgotten home routers into a distributed reconnaissance and proxy network, not the DDoS botnet these devices usually end up in. QiAnXin's XLab calls it AryStinger and counts at least 4,300 infected routers, a total it says is still rising.
The distinction matters. AryStinger exists for the stage of an attack that comes before the break-in. Infected devices scan the internet, fingerprint services, enumerate subdomains, tunnel traffic, and run commands on demand, then ship the results back to the operator.
Ea
Bleepingcomputer
AryStinger botnet infected thousands of D-Link routers worldwide
blogs_bleepingcomputer·2026-06-21·CVSS 8.3
CVE-2013-3307 [HIGH] AryStinger botnet infected thousands of D-Link routers worldwide
## AryStinger botnet infected thousands of D-Link routers worldwide
## Bill Toulas
A previously undocumented malware botnet named AryStinger has compromised more than 4,000 outdated routers to turn them into proxies for malicious traffic.
Researchers at Qianxin's XLab threat intelligence team say that the malware converts infected devices into remotely controlled “executors” that can perform scanning, proxying, tunneling, command execution, and other activities on behalf of the attacker.
“The attacker can split a massive scanning task into multiple small chunks and distribute them to different Executors for parallel execution,” XLab researchers note .
“With this distributed-like design, the attacker can efficiently complete the early "footprinting" activities, thereby providing strong
Bleepingcomputer
QNAP fixes seven NAS zero-day flaws exploited at Pwn2Own
blogs_bleepingcomputer·2025-11-07·CVSS 8.1
CVE-2025-62847 [HIGH] QNAP fixes seven NAS zero-day flaws exploited at Pwn2Own
## QNAP fixes seven NAS zero-day flaws exploited at Pwn2Own
## Sergiu Gatlan
QNAP has fixed seven zero-day vulnerabilities that security researchers exploited to hack QNAP network-attached storage (NAS) devices during the Pwn2Own Ireland 2025 competition.
The flaws impact QNAP's QTS and QuTS hero operating systems (CVE-2025-62847, CVE-2025-62848, CVE-2025-62849) and the company's Hyper Data Protector (CVE-2025-59389), Malware Remover (CVE-2025-11837), and HBS 3 Hybrid Backup Sync (CVE-2025-62840, CVE-2025-62842) software.
QNAP said in advisories published on Friday that the security bugs were demonstrated at Pwn2Own by the Summoning Team, DEVCORE, Team DDOS, and a CyCraft technology intern.
To patch these security flaws, QNAP recommends updating software to the latest version and chan
2026-01-02
Published
Exploited in the wild