CVE-2021-28799

ENISA EUVD: EUVD-2021-15455 ↗

Exploited in the Wild ✓ Confirmed 0-Day

Triaged: March 5, 2026 1 article Published: 2021-05-13

VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-23

90.84%

probability

This CVE has a 90.84% probability of being exploited in the next 30 days.

0% Top 99.6th percentile of all CVEs 100%

CVSS v3.1

Source: VulnerabilityLookup (CIRCL)

CRITICAL

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS v2 (legacy)

7.5

HIGH

Access Vector

Network

Access Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Description

VulnerabilityLookup (CNA)

An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3.0.210412 on QTS 4.3.6; versions prior to v3.0.210411 on QTS 4.3.4; versions prior to v3.0.210411 on QTS 4.3.3; versions prior to v16.0.0419 on QuTS hero h4.5.1; versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4. This issue does not affect: QNAP Systems Inc. HBS 2 . QNAP Systems Inc. HBS 1.3 .

Affected Products

QNAP Systems Inc.

HBS 3

unspecified

QNAP Systems Inc.

HBS 3

unspecified

QNAP Systems Inc.

HBS 3

unspecified

QNAP Systems Inc.

HBS 3

unspecified

QNAP Systems Inc.

HBS 3

unspecified

qnap

hybrid backup sync

QNAP Systems Inc.

HBS 1.3

QNAP Systems Inc.

HBS 3

unspecified <v3.0.210412

QNAP Systems Inc.

HBS 3

unspecified <v16.0.0419

QNAP Systems Inc.

HBS 3

unspecified <v16.0.0415

QNAP Systems Inc.

HBS 2

QNAP Systems Inc.

HBS 3

unspecified <v3.0.210411

Attack Intelligence

CWE-284 · Improper Access Control CWE-285 · Improper Authorization

https://www.qnap.com/en/security-advisory/QSA-21-13

x_refsource_MISC

Signal Intelligence

Confidenceⓘ

85%

EPSS 90.84%

CVSS v3.1 10

Mentions 1

Last Seen Oct 29, 2024

CNA Information

CNA Assigner

qnap

CNA Title

Improper Authorization Vulnerability in HBS 3 (Hybrid Backup Sync)

Analyst Note

CVE-2021-28799 was explicitly named as a zero-day exploited at Pwn2Own (a live hacking competition where vulnerabilities are exploited against unpatched systems before patches exist). The BleepingComputer article title directly confirms 'zero-day exploited at Pwn2Own,' establishing exploitation preceded patch availability. QNAP's patch release on 2021-05-13 aligns with CVE publication, confirming vendor coordinated disclosure of an actively exploited vulnerability.

Triage Info

Decided atMar 05, 2026

Published DateMay 13, 2021