← back
CVE-2021-28799

Improper Authorization Vulnerability in HBS 3 (Hybrid Backup Sync)

CVSS 10 CRITICALEPSS 78.4%● KEVCWE-285
In short

A flaw in QNAP's HBS 3 backup software allows attackers to log into NAS devices without proper credentials. This is critical because it gives unauthorized users full access to stored data and system controls.

Technical detail

An improper authorization vulnerability in HBS 3 permits remote unauthenticated attackers to bypass authentication mechanisms and gain administrative access to QNAP NAS appliances. The vulnerability affects multiple QTS and QuTS hero versions; exploitation requires network access but no user interaction or valid credentials.

Summary generated and translated by AI from the official description.
An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3.0.210412 on QTS 4.3.6; versions prior to v3.0.210411 on QTS 4.3.4; versions prior to v3.0.210411 on QTS 4.3.3; versions prior to v16.0.0419 on QuTS hero h4.5.1; versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4. This issue does not affect: QNAP Systems Inc. HBS 2 . QNAP Systems Inc. HBS 1.3 .
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected products
QNAP Systems Inc. · HBS 1.3QNAP Systems Inc. · HBS 2QNAP Systems Inc. · HBS 3

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-28799https://www.qnap.com/en/security-advisory/QSA-21-13