#VU52525 Improper Authorization in HBS 3 Hybrid Backup Sync


Published: 2021-04-23 | Updated: 2022-03-31

Vulnerability identifier: #VU52525

Vulnerability risk: High

CVSSv3.1: 9.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2021-28799

CWE-ID: CWE-285

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
HBS 3 Hybrid Backup Sync
Server applications / Other server solutions

Vendor:

Description

The vulnerability allows a remote attacker to bypass authorization checks.

The vulnerability exists due to insufficient authorization checks. A remote attacker can bypass authorization checking and log in to a device.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

External links
http://www.qnap.com/en/security-advisory/qsa-21-13

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.


Latest bulletins with this vulnerability


Improper Authorization in QNAP HBS 3 Hybrid Backup Sync