Hijacking the Miner – Zero-Click RCE in NiceHash QuickMiner

Advisory ID: 2025-001
CVE ID: CVE-2025-56513
Disclosure Date: September 2025
Severity: Critical (Remote Code Execution)
Discovered by: Prince T Philip (Independent Security Researcher)

---

Summary

A critical vulnerability was discovered in NiceHash QuickMiner (v6.12.0, build 2025-07-03) where the update mechanism performs software updates over unencrypted HTTP without validating digital signatures or hash checks. This enables a remote adversary to hijack the update process and execute arbitrary code on victim systems without user interaction.

---

Vulnerability Details

Vulnerability Type: Improper Input Validation / Insecure Update Mechanism

Attack Vector: Remote (via DNS spoofing, MITM, or rogue DHCP)

Impact:

Remote Code Execution (RCE)

Information Disclosure

Requirements:
The attacker must be able to intercept or redirect traffic to update.nicehash.com. Once redirected, the miner automatically downloads a malicious update.json and payload executable, which is executed without verification.

---

Technical Description

When QuickMiner checks for updates, it fetches update.json and the updated binary via HTTP. Because there is no TLS/HTTPS enforcement, certificate pinning, or hash/signature validation, a malicious update server can deliver a trojanized executable. The client will automatically run this binary, leading to zero-click full compromise.

---

Affected Products

Vendor: NiceHash

Product: QuickMiner

Version: 6.12.0 (2025-07-03 build)

---

Exploit Scenario

1. Attacker gains control of DNS resolution or network path (e.g., /etc/hosts poisoning, MITM).

2. Victim’s QuickMiner instance requests updates from update.nicehash.com.

3. Attacker serves malicious update.json + payload.

4. QuickMiner executes the payload automatically → remote code execution achieved.

---

Mitigation

Until a patch is released by NiceHash:

Block or restrict access to update.nicehash.com.

Only update software manually from trusted sources.

Enforce HTTPS/TLS interception checks at network gateways.

Use endpoint protection to monitor unauthorized process executions.

---

Timeline

2025-07-03: Vulnerability discovered in QuickMiner build.

2025-08: Vendor notified and confirmed issue.

2025-09: CVE assigned (CVE-2025-56513).

2025-09: Public disclosure via Medium and CVE request.

---

References

Medium advisory: Hijacking the Miner – Zero-Click RCE in NiceHash QuickMiner

CVE Record: CVE-2025-56513 (Reserved)

---

Credits

Research & Discovery: Prince T Philip (Independent Researcher)

---