KEVIntel
Back to KEVs
10.0
CVSS
Critical

CVE-2021-28799

PUBLISHED

Improper Authorization Vulnerability in HBS 3 (Hybrid Backup Sync)

Exploited in the wild Used in malware Remote Low complexity No user interaction
Vendor
QNAP Systems Inc.
Product
HBS 3, HBS 2, HBS 1.3
Published
May 13, 2021
EPSS

Description

An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3.0.210412 on QTS 4.3.6; versions prior to v3.0.210411 on QTS 4.3.4; versions prior to v3.0.210411 on QTS 4.3.3; versions prior to v16.0.0419 on QuTS hero h4.5.1; versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4. This issue does not affect: QNAP Systems Inc. HBS 2 . QNAP Systems Inc. HBS 1.3 .

cisa malware ransomware nuclei_scanner

CVSS scores

CVSS v3.1 10.0 Critical

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Exploitation status

Exploited in the wild

Recorded 2022-03-31 00:00:00 UTC · Source

Used in malware

Recorded 2022-03-31 00:00:00 UTC · Source

SSVC decision points

Exploitation
active
Automatable
Yes
Technical impact
total

References

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source Added
CISA Mar 31, 2022

Scanner integrations

Scanner Reference Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-28799.yaml Jun 01, 2026

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Exploit Used in Malware

  • Added to KEVIntel

  • Detected by Nuclei