High

Code Injection RCE in QNAP Malware Remover

IdentifiersCVE-2025-11837CWE-94· Improper Control of Generation of…

CVE-2025-11837 is a code injection vulnerability in QNAP Malware Remover. QNAP describes the issue as improper control of generation of code. Supporting reporting indicates the specific flaw exists in the malware_remover.cgi endpoint, where improper validation of a user-supplied string before it is used to execute Python code allows a network-adjacent attacker to inject and execute arbitrary code. The issue was demonstrated against QNAP TS-453E devices at Pwn2Own Ireland 2025 and later observed being used by the AryStinger malware to target QNAP NAS devices. QNAP fixed the vulnerability in Malware Remover version 6.6.8.20251023 and later.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows unauthenticated, network-adjacent attackers to execute arbitrary code on affected QNAP NAS devices, reportedly with root privileges. QNAP’s advisory language also states the flaw can be used to bypass a protection mechanism. In practice, this can result in full compromise of the device, including execution of malware, persistence, tampering with security controls, and loss of confidentiality, integrity, and availability.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure to network-adjacent attackers by restricting access to the affected NAS management interfaces and the vulnerable Malware Remover functionality to trusted administrative networks only, disabling unnecessary adjacent-network access paths, and monitoring for suspicious requests to malware_remover.cgi. These are compensating controls only; no vendor workaround beyond upgrading is provided in the supplied content.

Remediation

Patch, then assume compromise.

Upgrade QNAP Malware Remover to version 6.6.8.20251023 or later. QNAP advisory QSA-25-47 contains the vendor remediation details. Because the flaw has been reported as exploited by malware operators after disclosure, affected systems should be updated immediately and assessed for post-compromise indicators if they were exposed prior to patching.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

QNAP SystemsMalware Removerapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

22 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

22 SOURCESView more in app

cyber security newsNews

Jun 22, 2026

AryStinger Botnet Hijacks 4,300+ Routers to Build Global Attack Proxy Network

A vulnerability used to spread the AryStinger Standard variant to NAS devices.

security affairsNews

Jun 22, 2026

4,300+ Outdated Routers Hijacked in Stealthy Spy Infrastructure by AryStinger malware

A code injection vulnerability in QNAP Malware Remover used by AryStinger's Go-based variant to target NAS devices; notable because attackers exploited it within months of patch release.

the hacker newsNews

Jun 22, 2026

AryStinger Malware Infects 4,300 Legacy Routers to Build Reconnaissance Proxy Network

A code injection vulnerability in QNAP Malware Remover that a second AryStinger strain uses to target QNAP NAS devices.

xakepNews

Jun 22, 2026

Ботнет AryStinger заразил тысячи роутеров D-Link - Хакер

A vulnerability exploited by the AryStinger botnet to compromise outdated routers, particularly D-Link DIR-850L and DIR-818LW devices.

+9 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware8

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity8

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-11837

NVD

nvd.nist.gov/vuln/detail/CVE-2025-11837

MITRE CWE · CWE-94

Improper Control of Generation of Code ('Code…

Vendor Advisory

qnap.com/en/security-advisory/qsa-25-47