NiceHash QuickMiner Remote Code Execution Vulnerability via Insecure Update Mechanism

A remote code execution vulnerability has been identified in NiceHash QuickMiner version 6.12.0. The issue arises because the software update process occurs over unencrypted HTTP, without validating digital signatures or hash checks. This flaw allows an attacker to intercept or redirect traffic to the update URL, hijack the update process, and deliver arbitrary executables that are automatically executed on the victim's system, leading to full remote code execution. This vulnerability represents a critical supply chain attack vector.

Impact

Exploitation of this vulnerability allows for remote code execution on the affected system.

Reproduction

To reproduce this vulnerability, first, redirect the update.nicehash.com domain to a local server using a DNS spoofing technique or by modifying the hosts file. Then, host a malicious update server that serves a trojanized executable. When NiceHash QuickMiner checks for updates, it will download the malicious executable from the update server and execute it automatically, without any user interaction.

Remediation

Until NiceHash releases a patch, users can block or restrict access to update.nicehash.com, manually update the software from trusted sources, enforce HTTPS interception checks at network gateways, and use endpoint protection to monitor for unauthorized process executions.