Network-attached storage (NAS) maker QNAP has addressed a critical security vulnerability enabling attackers to compromise vulnerable devices. The security issue exists due to incorrect access control in QNAP’s HBS 3 Hybrid Backup Sync, data backup solution.

Vulnerable software does not correctly restrict attackers from gaining access to system resources allowing them escalate privileges, execute commands remotely, or read sensitive info without authorization.

The vulnerability (CVE-2021-28809) is already fixed in the following versions of the solution:

QTS 4.3.6: HBS 3 v3.0.210507 and later;

QTS 4.3.4: HBS 3 v3.0.210506 and later;

QTS 4.3.3: HBS 3 v3.0.210506 and later.

According to the QNAP company, the vulnerability does not affect devices running QTS 4.5.x with HBS 3 v16.x versions.

Source: securitylab.ru