CVE-2025-11837
ENISA EUVD: EUVD-2026-0672 ↗
✓ Confirmed 0-Day
Triaged: March 5, 2026
1 article
Published: 2026-01-02
EPSS Score
Source: FIRST.org · 2026-05-24
0.13%
probability
This CVE has a 0.13% probability
of being exploited in the next 30 days.
0%
Top 32.1th percentile of all CVEs
100%
CVSS v4.0 NEW
Source: VulnerabilityLookup (CIRCL)8.1
HIGH
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
None
User Interaction
None
Vulnerable System Confidentiality Impact
High
Vulnerable System Integrity Impact
High
Vulnerable System Availability Impact
High
Subsequent System Confidentiality Impact
None
Subsequent System Integrity Impact
None
Subsequent System Availability Impact
None
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
Description
VulnerabilityLookup (CNA)An improper control of generation of code vulnerability has been reported to affect Malware Remover. The remote attackers can then exploit the vulnerability to bypass protection mechanism.
We have already fixed the vulnerability in the following version:
Malware Remover 6.6.8.20251023 and later
Affected Products
QNAP Systems Inc.
Malware Remover
6.6.x
Attack Intelligence
Signal Intelligence
Confidence
85%
EPSS
0.13%
CVSS v4.0
8.1
Mentions
1
Last Seen
Nov 07, 2025
CNA Information
CNA Assigner
qnap
CNA Title
Malware Remover
Analyst Note
CVE-2025-11837 is explicitly named in a BleepingComputer article titled 'QNAP fixes seven NAS zero-day flaws exploited at Pwn2Own,' indicating active exploitation at the Pwn2Own competition (a live hacking event) before patch availability. The CVE year 2025 and recent patch date (October 23, 2025) align with the zero-day exploitation timeline at Pwn2Own.
Threat Actors 2
Hacking Team
apt_group
🇮🇹 IT
Mana Team
apt_group
🇨🇳 CN
Triage Info
Decided atMar 05, 2026
Published DateJan 02, 2026