Cyber Posture

CVE-2025-62842

High

Published: 02 January 2026

Published
02 January 2026
Modified
05 February 2026
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 4.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-62842 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Qnap Hybrid Backup Sync. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 4.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents external control of file name or path by validating inputs to block path traversal attacks in HBS 3 Hybrid Backup Sync.

SI-2 Flaw Remediation good match
prevent

Addresses the specific flaw through timely patching to HBS 3 version 26.2.0.938 or later, eliminating the vulnerability as per QNAP advisory.

AC-6 Least Privilege partial match
prevent

Limits damage from low-privilege exploitation by ensuring accounts have only necessary privileges to access files and directories.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
attack.mitre.org →
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
attack.mitre.org →
Why these techniques?

CWE-73 enables direct arbitrary local file read (T1005) and modification/deletion (T1565.001, T1070.004) on the affected system.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

An external control of file name or path vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If an attacker gains local network access, they can then exploit the vulnerability to read or modify files or directories. We…

more

have already fixed the vulnerability in the following version: HBS 3 Hybrid Backup Sync 26.2.0.938 and later

Deeper analysisAI

CVE-2025-62842 is an external control of file name or path vulnerability (CWE-73) affecting HBS 3 Hybrid Backup Sync. Published on 2026-01-02, it has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability with low attack complexity and privileges required.

An attacker with local network access and low privileges on the affected system can exploit this vulnerability to read or modify arbitrary files or directories, potentially leading to significant data compromise or system disruption.

QNAP's security advisory (QSA-25-46) states that the vulnerability has been fixed in HBS 3 Hybrid Backup Sync version 26.2.0.938 and later; users should update to a patched version for mitigation. Full details are available at https://www.qnap.com/en/security-advisory/qsa-25-46.

Details

CWE(s)
CWE-73

Affected Products

qnap
hybrid backup sync
≤ 26.2.0.938

CVEs Like This One

CVE-2024-53695Same product: Qnap Hybrid Backup Sync
CVE-2025-66277Same product class: NAS / storage appliance
CVE-2025-52869Same product class: NAS / storage appliance
CVE-2025-57713Same product class: NAS / storage appliance
CVE-2024-48864Same product class: NAS / storage appliance
CVE-2025-48725Same product class: NAS / storage appliance
CVE-2025-30273Same product class: NAS / storage appliance
CVE-2024-56808Same product class: NAS / storage appliance
CVE-2025-59384Same product class: NAS / storage appliance
CVE-2025-44014Same product class: NAS / storage appliance

References