CVE-2021-28799
Published on May 13, 2021
An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3.0.210412 on QTS 4.3.6; versions prior to v3.0.210411 on QTS 4.3.4; versions prior to v3.0.210411 on QTS 4.3.3; versions prior to v16.0.0419 on QuTS hero h4.5.1; versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4. This issue does not affect: QNAP Systems Inc. HBS 2 . QNAP Systems Inc. HBS 1.3 .
Known Exploited Vulnerability
This QNAP NAS Improper Authorization Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. QNAP NAS running HBS 3 contains an improper authorization vulnerability which can allow remote attackers to log in to a device.
The following remediation steps are recommended / required by April 21, 2022: Apply updates per vendor instructions.
Vulnerability Analysis
CVE-2021-28799 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Products Associated with CVE-2021-28799
You can be notified by stack.watch whenever vulnerabilities like CVE-2021-28799 are published in these products:
What versions are vulnerable to CVE-2021-28799?
Each of the following must match for the vulnerability to exist.
Each of the following must match for the vulnerability to exist.
Each of the following must match for the vulnerability to exist.
Each of the following must match for the vulnerability to exist.
Each of the following must match for the vulnerability to exist.