Critical Vulnerability in QNAP Network Attached Storage (NAS)

Published on 06 Jul 2021

Updated on 06 Jul 2021

QNAP has released a security advisory to address a critical vulnerability (CVE-2021-28809) for its NAS running Hybrid Backup Sync 3 (HBS 3), a disaster recovery and data backup solution.

Successful exploitation of the vulnerability could allow an unauthenticated attacker to escalate privileges, perform remote code execution, or access data on the NAS. An attacker could also reset the NAS to factory mode, which would wipe all data from the devices.

Administrators and users are advised to update their HBS 3 firmware to the latest versions immediately.

  • QTS 4.3.6: HBS 3 v3.0.210507 and later
  • QTS 4.3.4: HBS 3 v3.0.210506 and later
  • QTS 4.3.3: HBS 3 v3.0.210506 and later

Note: QNAP NAS running QTS 4.5.x with HBS 3 v16.x are not affected.

More information is available here:
https://www.qnap.com/en-us/security-advisory/QSA-21-19