CVE-2021-28799 — AI Deep Analysis Summary

🚨 **Essence**: QNAP HBS 3 has a broken authorization check. 📉 **Consequences**: Attackers can bypass login screens and gain direct access to the device. It’s a critical security failure.

🛡️ **Root Cause**: CWE-285 (Improper Authorization). The system fails to verify if the user is actually allowed to access the resource before granting entry.

📦 **Affected**: QNAP HBS 3 (Hybrid Backup Sync). **Versions**: < v16.0.0415 (QTS 4.5.2), < v3.0.210412 (QTS 4.3.6), and others listed in the advisory. **NOT Affected**: HBS 1.3 or HBS 2.

💻 **Hacker Power**: Full remote login without credentials. 📂 **Data Risk**: Complete compromise of the NAS. High impact on Confidentiality, Integrity, and Availability (CVSS 3.1).

⚡ **Threshold**: LOW. **Auth**: None required (PR:N). **Complexity**: Low (AC:L). **UI**: No interaction needed (UI:N). It’s an easy remote exploit.

🔍 **Exploit**: Yes. Public PoC available via Nuclei templates (projectdiscovery). Wild exploitation is likely due to the simplicity of the flaw.

🔎 **Self-Check**: Scan for QNAP NAS running HBS 3. Use tools like Nuclei with the specific CVE-2021-28799 template. Check your HBS 3 version number immediately.

🔧 **Fix**: Yes. Update HBS 3 to the latest patched version specific to your QTS/QuTS hero/QuTScloud release. See QSA-21-13 for details.

🚧 **No Patch?**: Isolate the NAS from the internet. Restrict access to trusted IPs only. Disable HBS 3 if not strictly necessary. Monitor logs for unauthorized login attempts.

🔥 **Urgency**: CRITICAL. CVSS is high. Remote unauthenticated access is a top-tier threat. Patch immediately to prevent data theft or ransomware.