⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2022-04-21.
CVE-2021-28799 — Improper Authorization in Systems INC HBS 3
Severity
9.8CRITICALNVD
CNA10.0VulnCheck10.0
EPSS
91.1%
top 0.35%
CISA KEV
KEVRansomware
Added 2022-03-31
Due 2022-04-21
Exploit
Exploited in wild
Active exploitation observed
Affected products
Timeline
PublishedMay 13
KEV addedMar 31
KEV dueApr 21
Latest updateMay 24
CISA Required Action: Apply updates per vendor instructions.
Description
An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3.0.210412 on QTS 4.3.6; versions prior to v3.0.210411 on QTS 4.3.4; versions prior to v3.0.210411 on QTS 4.3.3; versions prior to v16.0.0419 on QuTS hero h4.5.1; versions prior to v16.0.0419 on QuTScl…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9
Affected Packages2 packages
🔴Vulnerability Details
3💥Exploits & PoCs
1Nuclei▶
QNAP HBS 3 - Broken Access Control