Cyber Resilience

CVE-2021-28799

CriticalCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 13 May 2021

Published
13 May 2021
Modified
03 November 2025
KEV Added
31 March 2022
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.9237 99.7th percentile
Risk Priority 95 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-28799 is a critical-severity Improper Authorization (CWE-285) vulnerability in Qnap Hybrid Backup Sync. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

An improper authorization vulnerability affects QNAP NAS devices running HBS 3 (Hybrid Backup Sync) versions prior to v16.0.0415 on QTS 4.5.2, prior to v3.0.210412 on QTS 4.3.6, prior to v3.0.210411 on QTS 4.3.4 and 4.3.3, and prior to v16.0.0419 on QuTS hero h4.5.1 and QuTScloud c4.5.1 through c4.5.4. The flaw is absent from HBS 2 and HBS 1.3. Successful exploitation permits remote attackers to authenticate to the device without valid credentials.

Attackers require no authentication or user interaction and can achieve full device login over the network, resulting in complete compromise of confidentiality, integrity, and availability as reflected in the CVSS 10.0 score.

QNAP has published advisory QSA-21-13 detailing the affected builds and corrective updates. The vulnerability also appears in CISA's catalog of known exploited vulnerabilities, confirming observed in-the-wild activity.

EU & UK References

Vulnerability details

An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions…

more

prior to v16.0.0415 on QTS 4.5.2; versions prior to v3.0.210412 on QTS 4.3.6; versions prior to v3.0.210411 on QTS 4.3.4; versions prior to v3.0.210411 on QTS 4.3.3; versions prior to v16.0.0419 on QuTS hero h4.5.1; versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4. This issue does not affect: QNAP Systems Inc. HBS 2 . QNAP Systems Inc. HBS 1.3 .

CWE(s)
KEV Date Added
31 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

qnap
hybrid backup sync
≤ 16.0.0415 · ≤ 3.0.210412 · ≤ 3.0.210411

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization decisions so that remote attackers cannot obtain a login session on HBS 3 without presenting valid credentials.

prevent

Requires successful identification and authentication of users before allowing device access, blocking the unauthenticated login path exploited by CVE-2021-28799.

AC-17 Remote Access partial match
prevent

Restricts and authorizes remote connections to the NAS, limiting the network attack surface that the improper-authorization flaw relies on.

References