Improper Authorization Vulnerability in HBS 3 (Hybrid Backup Sync)
CVE-2021-28799

9.8CRITICAL

Key Information:

Vendor: QNAP
Status: Hbs 3; Hbs 2; Hbs 1.3
Vendor: CVE Published:; 13 May 2021

Badges

💰 Ransomware👾 Exploit Exists🟣 EPSS 88%🦅 CISA Reported

What is CVE-2021-28799?

An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3.0.210412 on QTS 4.3.6; versions prior to v3.0.210411 on QTS 4.3.4; versions prior to v3.0.210411 on QTS 4.3.3; versions prior to v16.0.0419 on QuTS hero h4.5.1; versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4. This issue does not affect: QNAP Systems Inc. HBS 2 . QNAP Systems Inc. HBS 1.3 .

CISA has reported CVE-2021-28799

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2021-28799 as being exploited and is known by the CISA as enabling ransomware campaigns.

The CISA's recommendation is: Apply updates per vendor instructions.

Affected Version(s)

HBS 1.3 all versions

HBS 2 all versions

HBS 3 QTS 4.3.3 < unspecified

References

https://www.qnap.com/en/security-advisory/QSA-21-13

x_refsource_MISC

EPSS Score

88% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

💰
Used in Ransomware
Mar 31, 2022
👾
Exploit known to exist
Mar 31, 2022
🦅
CISA Reported
Mar 31, 2022
Vulnerability published
May 13, 2021
Vulnerability Reserved
Mar 18, 2021

Credit

ZUSO ART