Cyber Resilience

CVE-2025-62842

High

Published: 02 January 2026

Published
02 January 2026
Modified
05 February 2026
KEV Added
Patch
CVSS Score v4 7.0 CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0002 4.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-62842 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Qnap Hybrid Backup Sync. Its CVSS base score is 7.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 4.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-62842 is an external control of file name or path vulnerability (CWE-73) affecting HBS 3 Hybrid Backup Sync. Published on 2026-01-02, it has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability with low attack complexity and privileges required.

An attacker with local network access and low privileges on the affected system can exploit this vulnerability to read or modify arbitrary files or directories, potentially leading to significant data compromise or system disruption.

QNAP's security advisory (QSA-25-46) states that the vulnerability has been fixed in HBS 3 Hybrid Backup Sync version 26.2.0.938 and later; users should update to a patched version for mitigation. Full details are available at https://www.qnap.com/en/security-advisory/qsa-25-46.

EU & UK References

Vulnerability details

An external control of file name or path vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If an attacker gains local network access, they can then exploit the vulnerability to read or modify files or directories. We…

more

have already fixed the vulnerability in the following version: HBS 3 Hybrid Backup Sync 26.2.0.938 and later

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
Why these techniques?

CWE-73 enables direct arbitrary local file read (T1005) and modification/deletion (T1565.001, T1070.004) on the affected system.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-53695Same product: Qnap Hybrid Backup Sync
CVE-2025-66277Same product class: NAS / storage appliance
CVE-2025-52869Same product class: NAS / storage appliance
CVE-2025-57713Same product class: NAS / storage appliance
CVE-2024-48864Same product class: NAS / storage appliance
CVE-2025-44015Same product class: NAS / storage appliance
CVE-2025-59389Same product class: NAS / storage appliance
CVE-2025-9110Same product class: NAS / storage appliance
CVE-2025-30273Same product class: NAS / storage appliance
CVE-2024-56804Same product class: NAS / storage appliance

Affected Assets

qnap
hybrid backup sync
≤ 26.2.0.938

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents external control of file name or path by validating inputs to block path traversal attacks in HBS 3 Hybrid Backup Sync.

prevent

Addresses the specific flaw through timely patching to HBS 3 version 26.2.0.938 or later, eliminating the vulnerability as per QNAP advisory.

prevent

Limits damage from low-privilege exploitation by ensuring accounts have only necessary privileges to access files and directories.

References