cbcvebase.
CVE-2025-11837
published 2026-01-02

CVE-2025-11837: An improper control of generation of code vulnerability has been reported to affect Malware Remover. The remote attackers can then exploit the vulnerability to…

PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
1.44%
69.8th percentile
An improper control of generation of code vulnerability has been reported to affect Malware Remover. The remote attackers can then exploit the vulnerability to bypass protection mechanism. We have already fixed the vulnerability in the following version: Malware Remover 6.6.8.20251023 and later

Affected

2 ranges
VendorProductVersion rangeFixed in
qnapmalware_remover>= 6.6.3 < 6.6.8.202510236.6.8.20251023
qnap_systems_incmalware_remover>= 6.6.x < 6.6.8.202510236.6.8.20251023

Detection & IOCsextracted from sources · hover to see the quote

ip107.150.106.14
port2332
path/tmp/bin
processsyswapd0h
processsyswapd0w
othersh_#@!_2024_secret
  • Hunt for outbound HTTP/HTTPS connections carrying Protobuf-encoded, XOR-obfuscated traffic (Go NAS build additionally gzip-compressed) to AryStinger C2 infrastructure including ajb8.com.
  • Detect Dropbear SSH listener on non-standard port 2332 on router devices as a persistence indicator for AryStinger infection.
  • Alert on presence of unexpected binaries under /tmp/bin on Linux-based router or NAS devices.
  • Alert on running processes named syswapd0h or syswapd0w as indicators of AryStinger compromise.
  • Monitor for execution of open-source recon tools fscan, ksubdomain, and httpx on NAS devices, which are integrated into the AryStinger NAS build.
  • ·The 4,300 infection count covers only RTL819X router nodes; QNAP NAS infections via CVE-2025-11837 have not been measured by XLab, so the true total is unknown.
  • ·The hardcoded key 'sh_#@!_2024_secret' contains '2024', possibly indicating an earlier campaign start date, but XLab cannot confirm this.
  • ·CVE-2025-11837 was patched by QNAP in Malware Remover 6.6.8.20251023 (November 2025), months before AryStinger began exploiting it in April 2026; unpatched devices remain at risk.
  • ·AryStinger has not been attributed to any known threat actor; attribution remains an open investigation.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.1HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.