Improper Authorization Vulnerability in HBS 3 (Hybrid Backup Sync)
CVE-2021-28799

10CRITICAL

Key Information:

Vendor
QNAP
Status
Hbs 3
Hbs 2
Hbs 1.3
Vendor
CVE Published:
13 May 2021

Badges

πŸ’° RansomwareπŸ‘Ύ Exploit Exists🟣 EPSS 88%πŸ¦… CISA Reported

Summary

An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3.0.210412 on QTS 4.3.6; versions prior to v3.0.210411 on QTS 4.3.4; versions prior to v3.0.210411 on QTS 4.3.3; versions prior to v16.0.0419 on QuTS hero h4.5.1; versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4. This issue does not affect: QNAP Systems Inc. HBS 2 . QNAP Systems Inc. HBS 1.3 .

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited and is known by the CISA as enabling ransomware campaigns.

The CISA's recommendation is: Apply updates per vendor instructions.

Affected Version(s)

HBS 1.3 all versions

HBS 2 all versions

HBS 3 QTS 4.3.3 < unspecified

References

https://www.qnap.com/en/security-advisory/QSA-21-13
x_refsource_MISC

EPSS Score

88% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • πŸ’°

    Used in Ransomware

  • πŸ‘Ύ

    Exploit known to exist

  • πŸ¦…

    CISA Reported

  • Vulnerability published

  • Vulnerability Reserved

Credit

ZUSO ART
.