Published: 13/05/2021 Updated: 21/06/2021
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote malicious users to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3.0.210412 on QTS 4.3.6; versions prior to v3.0.210411 on QTS 4.3.4; versions prior to v3.0.210411 on QTS 4.3.3; versions prior to v16.0.0419 on QuTS hero h4.5.1; versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4. This issue does not affect: QNAP Systems Inc. HBS 2 . QNAP Systems Inc. HBS 1.3 .

Most Upvoted Vulmon Research Post

QNAP NAS HBS 3 Hybrid Backup Syn Hard-Coded Credentials QLocker Ransomware is using this vulnerability to encrypt files of QNAP customers. https://forum.qnap.com/viewtopic.php?t=160876&p=787015

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

qnap hybrid_backup_sync

Recent Articles

QNAP confirms Qlocker ransomware used HBS backdoor account
BleepingComputer • Sergiu Gatlan • 01 Jan 1970

QNAP is advising customers to update the HBS 3 disaster recovery app to block Qlocker ransomware attacks targeting their Internet-exposed Network Attached Storage (NAS) devices.
"The ransomware known as Qlocker exploits CVE-2021-28799 to attack QNAP NAS running certain versions of HBS 3 (Hybrid Backup Sync)," the Taiwan-based NAS appliance maker said in a
issued today.
"To prevent infection from Qlocker, we recommend updating HBS 3 to the latest version."

QNAP removes backdoor account in NAS backup, disaster recovery app
BleepingComputer • Sergiu Gatlan • 01 Jan 1970

QNAP has addressed a critical vulnerability allowing attackers to log into QNAP NAS (network-attached storage) devices using hardcoded credentials.
The hard-coded credentials vulnerability tracked as
was found by Taiwan-based
, the company's disaster recovery and data backup solution. 
The company says that the security bug is already fixed in the following HBS versions and advises customers to update the software to the latest released version: