Published: 13/05/2021 Updated: 21/06/2021
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote malicious users to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3.0.210412 on QTS 4.3.6; versions prior to v3.0.210411 on QTS 4.3.4; versions prior to v3.0.210411 on QTS 4.3.3; versions prior to v16.0.0419 on QuTS hero h4.5.1; versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4. This issue does not affect: QNAP Systems Inc. HBS 2 . QNAP Systems Inc. HBS 1.3 .

Most Upvoted Vulmon Research Post

QNAP NAS HBS 3 Hybrid Backup Syn Hard-Coded Credentials QLocker Ransomware is using this vulnerability to encrypt files of QNAP customers. https://forum.qnap.com/viewtopic.php?t=160876&p=787015

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

qnap hybrid_backup_sync

Recent Articles

Researchers compile list of vulnerabilities abused by ransomware gangs
BleepingComputer • Sergiu Gatlan • 18 Sep 2021

Security researchers are compiling an easy-to-follow list of vulnerabilities ransomware gangs and their affiliates are using as initial access to breach victims' networks.
All this started with
, a member of Recorded Future's CSIRT (computer security incident response team), on Twitter over the weekend.
Since then, with the help of several other contributors that joined his efforts, the list quickly grew to include security flaws found in products from over a dozen different s...

QNAP Is Latest to Get Dinged by OpenSSL Bugs Fallout
Threatpost • Lisa Vaas • 31 Aug 2021

On Monday, QNAP put out two security advisories about OpenSSL remote-code execution and denial-of-service (DoS) bugs, fixed last week, that affect its network-attached storage (NAS) devices.
The vulnerabilities are tracked as CVE-2021-3711 – a high-severity buffer overflow related to SM2 decryption– and CVE-2021-3712, a medium-severity flaw that can be exploited for DoS attacks and possibly for the disclosure of private memory contents.
These OpenSSL flaws are spreading ripples f...

eCh0raix Ransomware Variant Targets QNAP, Synology NAS Devices
Threatpost • Lisa Vaas • 10 Aug 2021

Operators of the nearly-year-old eCh0raix ransomware strain that’s been used to target QNAP and Synology network-attached storage (NAS) devices in past, separate campaigns have, gotten more efficient. According to researchers, both have put out a new variant that can target either vendors’ devices in a single campaign.
In a report published Tuesday, Palo Alto Network Unit 42 researchers said the new variant of eCh0raix exploits a critical bug, CVE-2021-28799 – an improper authorizati...

QNAP confirms Qlocker ransomware used HBS backdoor account
BleepingComputer • Sergiu Gatlan • 01 Jan 1970

QNAP is advising customers to update the HBS 3 disaster recovery app to block Qlocker ransomware attacks targeting their Internet-exposed Network Attached Storage (NAS) devices.
"The ransomware known as Qlocker exploits CVE-2021-28799 to attack QNAP NAS running certain versions of HBS 3 (Hybrid Backup Sync)," the Taiwan-based NAS appliance maker said in a
issued today.
"To prevent infection from Qlocker, we recommend updating HBS 3 to the latest version."

QNAP removes backdoor account in NAS backup, disaster recovery app
BleepingComputer • Sergiu Gatlan • 01 Jan 1970

QNAP has addressed a critical vulnerability allowing attackers to log into QNAP NAS (network-attached storage) devices using hardcoded credentials.
The hard-coded credentials vulnerability tracked as
was found by Taiwan-based
, the company's disaster recovery and data backup solution. 
The company says that the security bug is already fixed in the following HBS versions and advises customers to update the software to the latest released version: