CVE-2021-28799

CVE-2021-28799 is a critical-severity vulnerability in Qnap Hybrid Backup Sync with a CVSS 3.x base score of 10.0. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-03-31). The underlying weakness is classified as CWE-285.

Key facts

Description

An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3.0.210412 on QTS 4.3.6; versions prior to v3.0.210411 on QTS 4.3.4; versions prior to v3.0.210411 on QTS 4.3.3; versions prior to v16.0.0419 on QuTS hero h4.5.1; versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4. This issue does not affect: QNAP Systems Inc. HBS 2 . QNAP Systems Inc. HBS 1.3 .

CVE-2021-28799: Improper Authorization in QNAP HBS 3 Enables Remote Device Access

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2021-28799
CWE CWE-285 — Improper Authorization
CVSS v3.1 10.0 (Critical) — AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS 0.78395 (99.53rd percentile)
KEV Yes — added to CISA catalog 2022-03-31
Published 2021-05-13
Vendor QNAP Systems Inc.

2. Summary

QNAP Hybrid Backup Sync (HBS) 3 contains an improper authorization flaw that allows remote attackers to authenticate to and access a NAS device without valid credentials.

3. Background

Hybrid Backup Sync is QNAP's integrated backup and disaster-recovery solution for NAS appliances. It is bundled across multiple QTS, QuTS hero, and QuTScloud firmware lines. In April 2021, QNAP disclosed that HBS 3 was missing an authorization check on a critical authentication path, enabling remote actors to log in directly.

4. Root Cause

The vulnerability maps to CWE-285 (Improper Authorization). The HBS 3 service failed to enforce adequate access controls during an authentication or session-establishment workflow, allowing an external party to bypass identity verification and gain a valid session on the device.

5. Impact

The CVSS v3.1 score is 10.0 (Critical) with a changed scope:

  • Attack Vector: Network — exploitable remotely without local access.
  • Attack Complexity: Low — no special conditions required.
  • Privileges Required: None — no account needed.
  • User Interaction: None — fully automated.
  • Scope: Changed — the vulnerable component impacts resources beyond its security scope.
  • Confidentiality, Integrity, Availability: All rated High.

Successful exploitation grants an attacker full administrative-level access to the NAS, including stored backups, shared folders, and the ability to deploy ransomware or exfiltrate sensitive data.

6. Exploitation Walkthrough

Ethics caveat: This description is intentionally defensive and generic. No weaponized proof-of-concept code is provided.

An attacker can reach the exposed HBS 3 authentication endpoint over the network and supply a crafted request that bypasses the missing authorization check. Because the flaw resides in the authorization layer rather than a credential-validation layer, traditional brute-force or credential-stuffing is unnecessary; the service simply grants access. Devices with HBS 3 exposed to the internet (especially via default or forwarded ports) are at highest risk.

7. Affected and Patched Versions

Firmware / Platform Affected Patched
QTS 4.5.2 HBS 3 prior to v16.0.0415 Upgrade to v16.0.0415 or later
QTS 4.3.6 HBS 3 prior to v3.0.210412 Upgrade to v3.0.210412 or later
QTS 4.3.4 HBS 3 prior to v3.0.210411 Upgrade to v3.0.210411 or later
QTS 4.3.3 HBS 3 prior to v3.0.210411 Upgrade to v3.0.210411 or later
QuTS hero h4.5.1 HBS 3 prior to v16.0.0419 Upgrade to v16.0.0419 or later
QuTScloud c4.5.1–c4.5.4 HBS 3 prior to v16.0.0419 Upgrade to v16.0.0419 or later

Not affected: HBS 2 and HBS 1.3.

8. Remediation

  1. Upgrade immediately to the patched HBS 3 version listed for your QNAP firmware.
  2. Restrict network exposure — do not place NAS management or HBS ports on the public internet; use a VPN or private backbone for remote access.
  3. Segment the NAS into a dedicated VLAN or network zone with limited egress/ingress.
  4. Enable automatic security updates and subscribe to QNAP security advisories.
  5. Review backup integrity — verify that existing backup jobs and snapshots have not been tampered with.

9. Detection

  • Monitor NAS authentication logs for anomalous successful logins from unexpected source IPs, especially geolocations or ASNs outside normal administrative patterns.
  • Alert on concurrent admin sessions or login attempts to HBS-specific endpoints without preceding VPN events.
  • Review EDR or network telemetry for lateral movement originating from the NAS after authentication.
  • Use CISA's KEV catalog and EPSS scores to prioritize patching; an EPSS of 0.78395 indicates a very high probability of active exploitation.

10. Assessment

With an EPSS of 0.78395 and confirmed inclusion in both the CISA KEV catalog (2022-03-31) and the EUVD (EUVD-2021-15455), this vulnerability is not theoretical — it is being actively exploited in the wild. The perfect CVSS 3.1 score of 10.0 reflects a worst-case exposure: network-accessible, no credentials, no user interaction, and full CIA impact.

Key lessons:

  • Authorization checks must be enforced on every authentication path, especially on services exposed to backup and sync workflows.
  • Internet-exposed NAS devices remain high-value targets for ransomware operators; network architecture should assume such bugs will be found.

11. References

Frequently asked questions

What is CVE-2021-28799?
An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3.0.210412 on QTS 4.3.6; versions prior to v3.0.210411 on QTS 4.3.4; versions prior to v3.0.210411 on QTS 4.3.3; versions prior to v16.0.0419 on QuTS hero h4.5.1; versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4. This issue does not affect: QNAP Systems Inc. HBS 2 . QNAP Systems Inc. HBS 1.3 .
How severe is CVE-2021-28799?
CVE-2021-28799 has a CVSS 3.x base score of 10.0, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2021-28799 being actively exploited?
Yes. CVE-2021-28799 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-03-31, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2021-28799?
CVE-2021-28799 affects Qnap Hybrid Backup Sync. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2021-28799?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2021-28799 have an EU (EUVD) identifier?
Yes. CVE-2021-28799 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-15455. It is also flagged as exploited in the EUVD (since 2022-03-31).
When was CVE-2021-28799 published?
CVE-2021-28799 was published on 2021-05-13 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Qnap Hybrid Backup Sync

All CVEs affecting Qnap Hybrid Backup Sync →

Other CWE-285 (Improper Authorization) vulnerabilities

Browse all CWE-285 (Improper Authorization) vulnerabilities →