What is QNAP HBS 3?
QNAP Network Attached Storage (NAS) devices are widely deployed by small businesses, enterprises, and home users for network file storage, backup, media serving, and data management. HBS 3 (Hybrid Backup Sync) is QNAP's integrated backup, restore, and synchronization application installed by default on QTS-based QNAP NAS systems. HBS 3 manages backup jobs to cloud services (Amazon S3, Google Drive, Azure) and to remote RTRR/rsync destinations. Because QNAP NAS devices often store business-critical data and are configured with remote access enabled for off-site backup management, they are prime ransomware targets — compromising HBS 3 grants both data access and backup manipulation capabilities.
Overview
CVE-2021-28799 is an improper authorization vulnerability (CWE-285) in QNAP's HBS 3 Hybrid Backup Sync application. The vulnerability allows a remote unauthenticated attacker to log in to the QNAP NAS device, bypassing normal authentication controls. Once authenticated, the attacker has full access to the NAS file system and management interface. The Qlocker ransomware group exploited this vulnerability in a massive campaign starting April 19, 2021 — before QNAP published its advisory — encrypting the contents of thousands of QNAP devices worldwide using 7-Zip archive password protection. Victims received ransom demands of 0.01 Bitcoin (~$500 USD at the time). Qlocker generated an estimated $260,000+ in ransoms during the brief campaign.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| HBS 3 Hybrid Backup Sync before 16.0.0415 | Yes | 16.0.0415 |
| HBS 3 before 17.1.0715 (for newer QTS) | Yes | 17.1.0715 |
| QTS 4.5.x and later with vulnerable HBS 3 | Yes | Update HBS 3 via App Center |
Technical Details
The HBS 3 application exposes management endpoints that process login and authentication requests. The authorization check for these endpoints contains a flaw that can be bypassed:
- Root cause: Improper authorization (CWE-285) in HBS 3's authentication logic — the application does not properly verify the identity and authorization of incoming requests, allowing unauthenticated access to authenticated endpoints
- Bypass mechanism: The authentication bypass allows remote attackers to establish a session as an authenticated user without providing valid credentials
- Post-authentication access: Once authenticated, the attacker has NAS administrator-level access including file system access, backup job management, and the ability to run arbitrary commands
- Scope: Changed — the NAS file system serves networked clients; access to the NAS can enable lateral movement to connected systems and access to files from many users' machines
- Qlocker technique: After authentication, Qlocker used legitimate 7-Zip functionality to move all NAS files into password-protected archives, then deleted the originals, effectively ransoming the data without deploying traditional malware
Discovery
The vulnerability was identified in the context of the April 2021 Qlocker ransomware campaign. QNAP published an emergency advisory and released patches on April 22, 2021, after the campaign had already encrypted thousands of devices.
Exploitation Context
The Qlocker campaign was notable for its scale and efficiency — thousands of QNAP devices were encrypted within days using a relatively simple ransomware technique that leveraged QNAP's own built-in 7-Zip functionality rather than custom malware. This made detection difficult as the encryption process appeared to be legitimate system activity. eCh0raix (QNAPCrypt) ransomware operators also exploited this vulnerability in more targeted attacks against business QNAP deployments. QNAP NAS devices frequently have remote access enabled (via myQNAPcloud or direct port forwarding) for backup and media access, exposing HBS 3 management interfaces directly to the internet.
Remediation
- Update HBS 3 Hybrid Backup Sync to version 16.0.0415 or later via the QNAP App Center immediately
- Also apply all available QTS firmware updates — multiple QNAP vulnerabilities were exploited in the 2021 Qlocker campaign
- Disable unnecessary remote access features: disable UPnP port forwarding, remove direct port-forwards to the NAS management interface
- If the NAS must be remotely accessible, access it through a VPN rather than exposing the management interface directly to the internet
- Check for and remove
.7zarchives created by unauthorized processes — Qlocker victims found their files replaced by password-protected 7-Zip archives - Review QNAP access logs for unexpected login events, particularly during April–May 2021 if the device was unpatched during that period
- Enable QNAP Security Counselor to monitor for new vulnerabilities and suspicious activity
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2021-28799 |
| Vendor / Product | QNAP — Network Attached Storage (NAS) |
| NVD Published | 2021-05-13 |
| NVD Last Modified | 2025-11-03 |
| CVSS 3.1 Score | 10 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-285 find similar ↗ |
| CISA KEV Added | 2022-03-31 |
| CISA KEV Deadline | 2022-04-21 |
| Known Ransomware Use | ⚠️ Yes |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2021-04-19 | Qlocker ransomware campaign begins targeting QNAP NAS devices; thousands of devices encrypted within days |
| 2021-04-22 | QNAP releases emergency advisory for HBS 3 vulnerability; urges immediate update |
| 2021-05-13 | CVE published; QNAP Security Advisory QSA-21-11 |
| 2021-05 | eCh0raix ransomware also exploits HBS 3 vulnerability in targeted attacks |
| 2022-03-31 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-04-21 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| QNAP Security Advisory QSA-21-11 | Vendor Advisory |
| BleepingComputer — Massive Qlocker Ransomware Attack Uses 7-Zip to Encrypt QNAP Devices | Security Research |
| NVD — CVE-2021-28799 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |