CVE-2021-28799
CVE-2021-28799 is a critical-severity vulnerability in Qnap Hybrid Backup Sync with a CVSS 3.x base score of 10.0. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-03-31). The underlying weakness is classified as CWE-285.
Key facts
- Severity: Critical (CVSS 3.x base score 10.0)
- CVSS v2: 7.5
- EPSS exploit prediction: 78% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-03-31)
- EU (EUVD) id: EUVD-2021-15455
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-03-31)
- Weakness: CWE-285
- Affected product: Qnap Hybrid Backup Sync
- Published:
- Last modified:
Description
An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3.0.210412 on QTS 4.3.6; versions prior to v3.0.210411 on QTS 4.3.4; versions prior to v3.0.210411 on QTS 4.3.3; versions prior to v16.0.0419 on QuTS hero h4.5.1; versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4. This issue does not affect: QNAP Systems Inc. HBS 2 . QNAP Systems Inc. HBS 1.3 .
CVE-2021-28799: Improper Authorization in QNAP HBS 3 Enables Remote Device Access
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2021-28799 |
| CWE | CWE-285 — Improper Authorization |
| CVSS v3.1 | 10.0 (Critical) — AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| EPSS | 0.78395 (99.53rd percentile) |
| KEV | Yes — added to CISA catalog 2022-03-31 |
| Published | 2021-05-13 |
| Vendor | QNAP Systems Inc. |
2. Summary
QNAP Hybrid Backup Sync (HBS) 3 contains an improper authorization flaw that allows remote attackers to authenticate to and access a NAS device without valid credentials.
3. Background
Hybrid Backup Sync is QNAP's integrated backup and disaster-recovery solution for NAS appliances. It is bundled across multiple QTS, QuTS hero, and QuTScloud firmware lines. In April 2021, QNAP disclosed that HBS 3 was missing an authorization check on a critical authentication path, enabling remote actors to log in directly.
4. Root Cause
The vulnerability maps to CWE-285 (Improper Authorization). The HBS 3 service failed to enforce adequate access controls during an authentication or session-establishment workflow, allowing an external party to bypass identity verification and gain a valid session on the device.
5. Impact
The CVSS v3.1 score is 10.0 (Critical) with a changed scope:
- Attack Vector: Network — exploitable remotely without local access.
- Attack Complexity: Low — no special conditions required.
- Privileges Required: None — no account needed.
- User Interaction: None — fully automated.
- Scope: Changed — the vulnerable component impacts resources beyond its security scope.
- Confidentiality, Integrity, Availability: All rated High.
Successful exploitation grants an attacker full administrative-level access to the NAS, including stored backups, shared folders, and the ability to deploy ransomware or exfiltrate sensitive data.
6. Exploitation Walkthrough
Ethics caveat: This description is intentionally defensive and generic. No weaponized proof-of-concept code is provided.
An attacker can reach the exposed HBS 3 authentication endpoint over the network and supply a crafted request that bypasses the missing authorization check. Because the flaw resides in the authorization layer rather than a credential-validation layer, traditional brute-force or credential-stuffing is unnecessary; the service simply grants access. Devices with HBS 3 exposed to the internet (especially via default or forwarded ports) are at highest risk.
7. Affected and Patched Versions
| Firmware / Platform | Affected | Patched |
|---|---|---|
| QTS 4.5.2 | HBS 3 prior to v16.0.0415 | Upgrade to v16.0.0415 or later |
| QTS 4.3.6 | HBS 3 prior to v3.0.210412 | Upgrade to v3.0.210412 or later |
| QTS 4.3.4 | HBS 3 prior to v3.0.210411 | Upgrade to v3.0.210411 or later |
| QTS 4.3.3 | HBS 3 prior to v3.0.210411 | Upgrade to v3.0.210411 or later |
| QuTS hero h4.5.1 | HBS 3 prior to v16.0.0419 | Upgrade to v16.0.0419 or later |
| QuTScloud c4.5.1–c4.5.4 | HBS 3 prior to v16.0.0419 | Upgrade to v16.0.0419 or later |
Not affected: HBS 2 and HBS 1.3.
8. Remediation
- Upgrade immediately to the patched HBS 3 version listed for your QNAP firmware.
- Restrict network exposure — do not place NAS management or HBS ports on the public internet; use a VPN or private backbone for remote access.
- Segment the NAS into a dedicated VLAN or network zone with limited egress/ingress.
- Enable automatic security updates and subscribe to QNAP security advisories.
- Review backup integrity — verify that existing backup jobs and snapshots have not been tampered with.
9. Detection
- Monitor NAS authentication logs for anomalous successful logins from unexpected source IPs, especially geolocations or ASNs outside normal administrative patterns.
- Alert on concurrent admin sessions or login attempts to HBS-specific endpoints without preceding VPN events.
- Review EDR or network telemetry for lateral movement originating from the NAS after authentication.
- Use CISA's KEV catalog and EPSS scores to prioritize patching; an EPSS of 0.78395 indicates a very high probability of active exploitation.
10. Assessment
With an EPSS of 0.78395 and confirmed inclusion in both the CISA KEV catalog (2022-03-31) and the EUVD (EUVD-2021-15455), this vulnerability is not theoretical — it is being actively exploited in the wild. The perfect CVSS 3.1 score of 10.0 reflects a worst-case exposure: network-accessible, no credentials, no user interaction, and full CIA impact.
Key lessons:
- Authorization checks must be enforced on every authentication path, especially on services exposed to backup and sync workflows.
- Internet-exposed NAS devices remain high-value targets for ransomware operators; network architecture should assume such bugs will be found.
11. References
Frequently asked questions
- What is CVE-2021-28799?
- An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3.0.210412 on QTS 4.3.6; versions prior to v3.0.210411 on QTS 4.3.4; versions prior to v3.0.210411 on QTS 4.3.3; versions prior to v16.0.0419 on QuTS hero h4.5.1; versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4. This issue does not affect: QNAP Systems Inc. HBS 2 . QNAP Systems Inc. HBS 1.3 .
- How severe is CVE-2021-28799?
- CVE-2021-28799 has a CVSS 3.x base score of 10.0, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2021-28799 being actively exploited?
- Yes. CVE-2021-28799 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-03-31, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2021-28799?
- CVE-2021-28799 affects Qnap Hybrid Backup Sync. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2021-28799?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2021-28799 have an EU (EUVD) identifier?
- Yes. CVE-2021-28799 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-15455. It is also flagged as exploited in the EUVD (since 2022-03-31).
- When was CVE-2021-28799 published?
- CVE-2021-28799 was published on 2021-05-13 and last updated on 2026-06-17.
References
- https://www.qnap.com/en/security-advisory/QSA-21-13
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-28799
Affected products (1)
- cpe:2.3:a:qnap:hybrid_backup_sync:*:*:*:*:*:*:*:*
More vulnerabilities in Qnap Hybrid Backup Sync
- CVE-2024-50388 — Critical (CVSS 9.8): An OS command injection vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If exploited, the…
- CVE-2021-28809 — Critical (CVSS 9.8): An improper access control vulnerability has been reported to affect certain legacy versions of HBS 3. If exploited,…
- CVE-2024-53695 — Critical (CVSS 9.1): A buffer overflow vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If exploited, the vulnerability…
- CVE-2025-62842 — High (CVSS 7.8): An external control of file name or path vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If an…
- CVE-2025-62840 — Low (CVSS 3.3): A generation of error message containing sensitive information vulnerability has been reported to affect HBS 3 Hybrid…
All CVEs affecting Qnap Hybrid Backup Sync →
Other CWE-285 (Improper Authorization) vulnerabilities
- CVE-2025-65041 — Critical (CVSS 10.0): Improper authorization in Microsoft Partner Center allows an unauthorized attacker to elevate privileges over a network.
- CVE-2023-33189 — Critical (CVSS 10.0): Pomerium is an identity and context-aware access proxy. With specially crafted requests, incorrect authorization…
- CVE-2022-2595 — Critical (CVSS 10.0): Improper Authorization in GitHub repository kromitgmbh/titra prior to 0.79.1.
- CVE-2026-34048 — Critical (CVSS 9.9): Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to…
- CVE-2026-5412 — Critical (CVSS 9.9): In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated…
- CVE-2026-30956 — Critical (CVSS 9.9): OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, a low‑privileged user can…
Browse all CWE-285 (Improper Authorization) vulnerabilities →