CVE-2021-28799

Known Exploited
Improper Authorization Vulnerability in HBS 3 (Hybrid Backup Sync)

Description

An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3.0.210412 on QTS 4.3.6; versions prior to v3.0.210411 on QTS 4.3.4; versions prior to v3.0.210411 on QTS 4.3.3; versions prior to v16.0.0419 on QuTS hero h4.5.1; versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4. This issue does not affect: QNAP Systems Inc. HBS 2 . QNAP Systems Inc. HBS 1.3 .

Remediation

Solution:

  • QNAP have already fixed this vulnerability in the following versions of HBS 3: QTS 4.5.2: HBS 3 v16.0.0415 and later QTS 4.3.6: HBS 3 v3.0.210412 and later QTS 4.3.3 and 4.3.4: HBS 3 v3.0.210411 and later QuTS hero h4.5.1: HBS 3 v16.0.0419 and later QuTScloud c4.5.1~c4.5.4: HBS 3 v16.0.0419 and later

Category

10.0
CVSS
Severity: Critical
CVSS 3.1 •
CVSS 2.0 •
EPSS 88.78% Top 5%
KEV Since 
Vendor Advisory qnap.com
Affected: QNAP Systems Inc. HBS 3
Affected: QNAP Systems Inc. HBS 3
Affected: QNAP Systems Inc. HBS 3
Affected: QNAP Systems Inc. HBS 3
Affected: QNAP Systems Inc. HBS 3
Affected: QNAP Systems Inc. HBS 3
Affected: QNAP Systems Inc. HBS 2
Affected: QNAP Systems Inc. HBS 1.3
Published at:
Updated at:

References

Link Tags
https://www.qnap.com/en/security-advisory/QSA-21-13 vendor advisory

Frequently Asked Questions

What is the severity of CVE-2021-28799?
CVE-2021-28799 has been scored as a critical severity vulnerability.
How to fix CVE-2021-28799?
To fix CVE-2021-28799: QNAP have already fixed this vulnerability in the following versions of HBS 3: QTS 4.5.2: HBS 3 v16.0.0415 and later QTS 4.3.6: HBS 3 v3.0.210412 and later QTS 4.3.3 and 4.3.4: HBS 3 v3.0.210411 and later QuTS hero h4.5.1: HBS 3 v16.0.0419 and later QuTScloud c4.5.1~c4.5.4: HBS 3 v16.0.0419 and later
Is CVE-2021-28799 being actively exploited in the wild?
It is confirmed that CVE-2021-28799 is actively exploited. Be extra cautious if you are using vulnerable components. According to its EPSS score, there is a ~89% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-28799?
CVE-2021-28799 affects QNAP Systems Inc. HBS 3, QNAP Systems Inc. HBS 3, QNAP Systems Inc. HBS 3, QNAP Systems Inc. HBS 3, QNAP Systems Inc. HBS 3, QNAP Systems Inc. HBS 3, QNAP Systems Inc. HBS 2, QNAP Systems Inc. HBS 1.3.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.