VOOZH about

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-28799

⇱ NVD - CVE-2021-28799

  1. Vulnerabilities

CVE-2021-28799 Detail

Description

An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3.0.210412 on QTS 4.3.6; versions prior to v3.0.210411 on QTS 4.3.4; versions prior to v3.0.210411 on QTS 4.3.3; versions prior to v16.0.0419 on QuTS hero h4.5.1; versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4. This issue does not affect: QNAP Systems Inc. HBS 2 . QNAP Systems Inc. HBS 1.3 .


Metrics

 
NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 4.0 Severity and Vector Strings:

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

URL Source(s) Tag(s)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-28799 CISA-ADP US Government Resource 
https://www.qnap.com/en/security-advisory/QSA-21-13 CVE, Inc., QNAP Systems Vendor Advisory 

This CVE is in CISA's Known Exploited Vulnerabilities Catalog

Reference CISA's BOD 22-01 and Known Exploited Vulnerabilities Catalog for further guidance and requirements.

Vulnerability Name Date Added Due Date Required Action
QNAP NAS Improper Authorization Vulnerability 03/31/2022 04/21/2022 Apply updates per vendor instructions.

Weakness Enumeration

CWE-ID CWE Name Source
NVD-CWE-Other Other πŸ‘ cwe source acceptance level
NIST  
CWE-285 Improper Authorization QNAP Systems, Inc.  

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

13 change records found show changes

CVE Modified by CISA-ADP 6/16/2026 11:46:53 PM

Action Type Old Value New Value
Added SSVC 
{"timestamp":"2025-02-04T14:53:29.275519Z","id":"CVE-2021-28799","options":[{"exploitation":"active"},{"automatable":"yes"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}

CVE Modified by QNAP Systems, Inc. 6/16/2026 11:46:53 PM

Action Type Old Value New Value
Added Affected 
[{"vendor":"QNAP Systems Inc.","product":"HBS 3","platforms":["QTS 4.5.2"],"versions":[{"version":"unspecified","lessThan":"v16.0.0415","versionType":"custom","status":"affected"}]},{"vendor":"QNAP Systems Inc.","product":"HBS 3","platforms":["QTS 4.3.6"],"versions":[{"version":"unspecified","lessThan":"v3.0.210412","versionType":"custom","status":"affected"}]},{"vendor":"QNAP Systems Inc.","product":"HBS 3","platforms":["QTS 4.3.4"],"versions":[{"version":"unspecified","lessThan":"v3.0.210411","versionType":"custom","status":"affected"}]},{"vendor":"QNAP Systems Inc.","product":"HBS 3","platforms":["QTS 4.3.3"],"versions":[{"version":"unspecified","lessThan":"v3.0.210411","versionType":"custom","status":"affected"}]},{"vendor":"QNAP Systems Inc.","product":"HBS 3","platforms":["QuTS hero h4.5.1"],"versions":[{"version":"unspecified","lessThan":"v16.0.0419","versionType":"custom","status":"affected"}]},{"vendor":"QNAP Systems Inc.","product":"HBS 3","platforms":["QuTScloud c4.5.1~c4.5.4"],"versions":[{"version":"unspecified","lessThan":"v16.0.0419","versionType":"custom","status":"affected"}]},{"vendor":"QNAP Systems Inc.","product":"HBS 2","versions":[{"version":"all versions","status":"unaffected"}]},{"vendor":"QNAP Systems Inc.","product":"HBS 1.3","versions":[{"version":"all versions","status":"unaffected"}]}]

Modified Analysis by NIST 11/03/2025 10:07:48 AM

Action Type Old Value New Value
Changed CPE Configuration 
AND
 OR
 *cpe:2.3:a:qnap:hybrid_backup_sync:*:*:*:*:*:*:*:* versions up to (excluding) 16.0.0415
 OR
 cpe:2.3:a:qnap:qts:4.5.2:*:*:*:*:*:*:*


 
AND
 OR
 *cpe:2.3:a:qnap:hybrid_backup_sync:*:*:*:*:*:*:*:* versions up to (excluding) 16.0.0415
 OR
 cpe:2.3:o:qnap:qts:4.5.2:*:*:*:*:*:*:*
Changed CPE Configuration 
AND
 OR
 *cpe:2.3:a:qnap:hybrid_backup_sync:*:*:*:*:*:*:*:* versions up to (excluding) 3.0.210411
 OR
 cpe:2.3:a:qnap:qts:4.3.4:*:*:*:*:*:*:*
 cpe:2.3:a:qnap:qts:4.3.3:*:*:*:*:*:*:*


 
AND
 OR
 *cpe:2.3:a:qnap:hybrid_backup_sync:*:*:*:*:*:*:*:* versions up to (excluding) 3.0.210411
 OR
 cpe:2.3:o:qnap:qts:4.3.3:*:*:*:*:*:*:*
 cpe:2.3:o:qnap:qts:4.3.4:*:*:*:*:*:*:*
Added Reference Type 
CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-28799 Types: US Government Resource

CVE Modified by CISA-ADP 10/21/2025 8:17:30 PM

Action Type Old Value New Value
Added Reference 
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-28799

CVE Modified by CISA-ADP 10/21/2025 4:18:28 PM

Action Type Old Value New Value
Removed Reference 
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-28799

CVE Modified by CISA-ADP 10/21/2025 3:19:00 PM

Action Type Old Value New Value
Added Reference 
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-28799

Modified Analysis by NIST 3/12/2025 4:57:59 PM

Action Type Old Value New Value
Changed CPE Configuration 
AND
 OR
 *cpe:2.3:a:qnap:hybrid_backup_sync:*:*:*:*:*:*:*:* versions from (excluding) 16.0.0415
 OR
 cpe:2.3:a:qnap:qts:4.5.2:*:*:*:*:*:*:*


 
AND
 OR
 *cpe:2.3:a:qnap:hybrid_backup_sync:*:*:*:*:*:*:*:* versions from (excluding) 16.0.0415
 OR
 cpe:2.3:a:qnap:qts:4.5.2:*:*:*:*:*:*:*
Changed CPE Configuration 
AND
 OR
 *cpe:2.3:a:qnap:hybrid_backup_sync:*:*:*:*:*:*:*:* versions from (excluding) 16.0.0415
 OR
 cpe:2.3:a:qnap:qts:4.5.2:*:*:*:*:*:*:*


 
AND
 OR
 *cpe:2.3:a:qnap:hybrid_backup_sync:*:*:*:*:*:*:*:* versions from (excluding) 16.0.0415
 OR
 cpe:2.3:a:qnap:qts:4.5.2:*:*:*:*:*:*:*
Changed CPE Configuration 
AND
 OR
 *cpe:2.3:a:qnap:hybrid_backup_sync:*:*:*:*:*:*:*:* versions from (excluding) 3.0.210411
 OR
 cpe:2.3:a:qnap:qts:4.3.4:*:*:*:*:*:*:*
 cpe:2.3:a:qnap:qts:4.3.3:*:*:*:*:*:*:*


 
AND
 OR
 *cpe:2.3:a:qnap:hybrid_backup_sync:*:*:*:*:*:*:*:* versions from (excluding) 3.0.210411
 OR
 cpe:2.3:a:qnap:qts:4.3.4:*:*:*:*:*:*:*
 cpe:2.3:a:qnap:qts:4.3.3:*:*:*:*:*:*:*
Changed CPE Configuration 
AND
 OR
 *cpe:2.3:a:qnap:hybrid_backup_sync:*:*:*:*:*:*:*:* versions from (excluding) 3.0.210411
 OR
 cpe:2.3:a:qnap:qts:4.3.4:*:*:*:*:*:*:*
 cpe:2.3:a:qnap:qts:4.3.3:*:*:*:*:*:*:*


 
AND
 OR
 *cpe:2.3:a:qnap:hybrid_backup_sync:*:*:*:*:*:*:*:* versions from (excluding) 3.0.210411
 OR
 cpe:2.3:a:qnap:qts:4.3.4:*:*:*:*:*:*:*
 cpe:2.3:a:qnap:qts:4.3.3:*:*:*:*:*:*:*
Changed CPE Configuration 
AND
 OR
 *cpe:2.3:a:qnap:hybrid_backup_sync:*:*:*:*:*:*:*:* versions from (excluding) 3.0.210412
 OR
 cpe:2.3:o:qnap:qts:4.3.6:*:*:*:*:*:*:*


 
AND
 OR
 *cpe:2.3:a:qnap:hybrid_backup_sync:*:*:*:*:*:*:*:* versions from (excluding) 3.0.210412
 OR
 cpe:2.3:o:qnap:qts:4.3.6:*:*:*:*:*:*:*
Changed CPE Configuration 
AND
 OR
 *cpe:2.3:a:qnap:hybrid_backup_sync:*:*:*:*:*:*:*:* versions from (excluding) 3.0.210412
 OR
 cpe:2.3:o:qnap:qts:4.3.6:*:*:*:*:*:*:*


 
AND
 OR
 *cpe:2.3:a:qnap:hybrid_backup_sync:*:*:*:*:*:*:*:* versions from (excluding) 3.0.210412
 OR
 cpe:2.3:o:qnap:qts:4.3.6:*:*:*:*:*:*:*

CVE Modified by CVE 11/21/2024 1:00:13 AM

Action Type Old Value New Value
Added Reference 
https://www.qnap.com/en/security-advisory/QSA-21-13

CVE Modified by QNAP Systems, Inc. 5/14/2024 4:44:07 AM

Action Type Old Value New Value

CPE Deprecation Remap by NIST 11/14/2023 2:26:49 PM

Action Type Old Value New Value
Changed CPE Configuration 
OR
 *cpe:2.3:a:qnap:qts:4.3.6:*:*:*:*:*:*:*


 
OR
 *cpe:2.3:o:qnap:qts:4.3.6:*:*:*:*:*:*:*

Reanalysis by NIST 7/14/2022 11:42:37 AM

Action Type Old Value New Value
Added CWE 
NIST NVD-CWE-Other
Removed CWE 
NIST CWE-863

CPE Deprecation Remap by NIST 6/21/2021 12:57:36 PM

Action Type Old Value New Value
Changed CPE Configuration 
OR
 *cpe:2.3:a:qnap:quts_hero:h4.5.1:*:*:*:*:*:*:*


 
OR
 *cpe:2.3:o:qnap:quts_hero:h4.5.1:*:*:*:*:*:*:*

Initial Analysis by NIST 6/01/2021 4:05:48 PM

Action Type Old Value New Value
Added CVSS V3.1 
NIST AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Added CVSS V2 
NIST (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Added CWE 
NIST CWE-863
Added CPE Configuration 
AND
 OR
 *cpe:2.3:a:qnap:hybrid_backup_sync:*:*:*:*:*:*:*:* versions up to (excluding) 16.0.0415
 OR
 cpe:2.3:a:qnap:qts:4.5.2:*:*:*:*:*:*:*
Added CPE Configuration 
AND
 OR
 *cpe:2.3:a:qnap:hybrid_backup_sync:*:*:*:*:*:*:*:* versions up to (excluding) 16.0.0419
 OR
 cpe:2.3:a:qnap:quts_hero:h4.5.1:*:*:*:*:*:*:*
Added CPE Configuration 
AND
 OR
 *cpe:2.3:a:qnap:hybrid_backup_sync:*:*:*:*:*:*:*:* versions up to (excluding) 16.0.0419
 OR
 cpe:2.3:o:qnap:qutscloud:*:*:*:*:*:*:*:* versions from (including) c4.5.1 up to (including) c4.5.4
Added CPE Configuration 
AND
 OR
 *cpe:2.3:a:qnap:hybrid_backup_sync:*:*:*:*:*:*:*:* versions up to (excluding) 3.0.210411
 OR
 cpe:2.3:a:qnap:qts:4.3.3:*:*:*:*:*:*:*
 cpe:2.3:a:qnap:qts:4.3.4:*:*:*:*:*:*:*
Added CPE Configuration 
AND
 OR
 *cpe:2.3:a:qnap:hybrid_backup_sync:*:*:*:*:*:*:*:* versions up to (excluding) 3.0.210412
 OR
 cpe:2.3:a:qnap:qts:4.3.6:*:*:*:*:*:*:*
Changed Reference Type 
https://www.qnap.com/en/security-advisory/QSA-21-13 No Types Assigned


 
https://www.qnap.com/en/security-advisory/QSA-21-13 Vendor Advisory

Quick Info

CVE Dictionary Entry:
CVE-2021-28799
NVD Published Date:
05/12/2021
NVD Last Modified:
06/16/2026
Source:
QNAP Systems, Inc.