What is CVE-2021-28799?

CVE-2021-28799 is a critical vulnerability affecting QNAP's Hybrid Backup Sync (HBS 3). Exploitation may allow remote attackers to log into affected devices. Immediate patching is crucial.

What is the severity of CVE-2021-28799?

CVE-2021-28799 has a severity rating of CRITICAL with a CVSS base score of 10.

Is CVE-2021-28799 in CISA KEV?

Yes. CVE-2021-28799 is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. Organizations should prioritize remediation.

CVE-2021-28799 | Critical Vulnerability in QNAP Hybrid Backup Sync

An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync). If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3.0.210412 on QTS 4.3.6; versions prior to v3.0.210411 on QTS 4.3.4; versions prior to v3.0.210411 on QTS 4.3.3; versions prior to v16.0.0419 on QuTS hero h4.5.1; versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4.

The severity of this vulnerability is critical, with a CVSS score of 10. This indicates a significant risk to organizations, with potential impacts on confidentiality, integrity, and availability. Organizations should prioritize patching immediately to mitigate this risk.

As of now, there are no known public exploits for this vulnerability, but its presence in the Known Exploited Vulnerabilities catalog suggests potential for its exploitation in the wild. Organizations running affected versions of HBS 3 must act swiftly.

Organizations should address this vulnerability in their priority patch cycle to prevent unauthorized access to their systems.

Vulnerability Details

The improper authorization vulnerability in QNAP HBS 3 is classified under CWE-285. The publication date of this vulnerability was May 13, 2021. It affects multiple versions of QNAP's Hybrid Backup Sync software, specifically those prior to the indicated versions.

Technical Analysis

The root cause of the vulnerability is related to improper authorization checks that allow attackers to gain access without proper credentials. This vulnerability is exploitable remotely via network access.

The attack complexity is low, requiring no special privileges or user interaction. If exploited, this vulnerability can lead to high impacts on confidentiality, integrity, and availability, making it critical for organizations to remediate.

Risk & Impact Analysis

Risk to organizations includes unauthorized access to sensitive data and complete control over the affected NAS devices. Given the critical nature of this vulnerability, the potential blast radius is significant, affecting any organization utilizing the vulnerable software versions. Organizations should prioritize patching immediately.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	Yes
Ransomware Use	Yes

Affected Versions

The following versions of QNAP HBS 3 are affected: versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3.0.210412 on QTS 4.3.6; versions prior to v3.0.210411 on QTS 4.3.4; versions prior to v3.0.210411 on QTS 4.3.3; versions prior to v16.0.0419 on QuTS hero h4.5.1; versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4.

Mitigation & Remediation

To remediate this vulnerability, organizations should apply the updates provided by QNAP according to their security advisory. The specific versions to upgrade to are: HBS 3 v16.0.0415 or later on QTS 4.5.2; v3.0.210412 or later on QTS 4.3.6; v3.0.210411 or later on QTS 4.3.4; v3.0.210411 or later on QTS 4.3.3; v16.0.0419 or later on QuTS hero h4.5.1; and v16.0.0419 or later on QuTScloud c4.5.1~c4.5.4.

Organizations may also consider implementing additional network controls and configuration hardening to mitigate the risk until patches can be applied. Continuous security testing can help identify any lingering vulnerabilities.

Detection Guidance

To detect potential exploitation of this vulnerability, organizations should monitor logs for unauthorized access attempts and unusual login patterns. Behavioral anomalies in user activities should also be investigated.

AppSecure Threat Intelligence Insight

This vulnerability highlights the importance of robust authorization checks in network-connected devices. As organizations increasingly rely on cloud and hybrid backup solutions, the need for vigilant security measures is paramount. Security teams should consider regular audits and comprehensive security assessments to identify similar weaknesses.

The ongoing trend of vulnerabilities in NAS devices signifies that attackers may increasingly target these systems, necessitating a proactive approach to security.

Continuous penetration testing services could further bolster defenses against such vulnerabilities.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2021-28799: Critical Vulnerability in QNAP Hybrid Backup Sync