CVE-2024-50388

ENISA EUVD: EUVD-2024-45184 ↗

✓ Confirmed 0-Day

Triaged: March 5, 2026 4 articles Published: 2024-12-06

VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗

EPSS Score

Source: FIRST.org · 2026-05-23

7.93%

probability

This CVE has a 7.93% probability of being exploited in the next 30 days.

0% Top 92.1th percentile of all CVEs 100%

CVSS v4.0 NEW

Source: VulnerabilityLookup (CIRCL)

9.5

CRITICAL

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

Present

Privileges Required

None

User Interaction

None

Vulnerable System Confidentiality Impact

High

Vulnerable System Integrity Impact

High

Vulnerable System Availability Impact

High

Subsequent System Confidentiality Impact

High

Subsequent System Integrity Impact

High

Subsequent System Availability Impact

High

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CVSS v3.1

Source: NVD

9.8

CRITICAL

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

VulnerabilityLookup (CNA)

An OS command injection vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If exploited, the vulnerability could allow remote attackers to execute commands. We have already fixed the vulnerability in the following version: HBS 3 Hybrid Backup Sync 25.1.1.673 and later

Affected Products

QNAP Systems Inc.

HBS 3 Hybrid Backup Sync

25.1.x

qnap

hybrid backup sync

QNAP Systems Inc.

HBS 3 Hybrid Backup Sync

25.1.x <25.1.1.673

Attack Intelligence

CWE-707 · Improper Neutralization CWE-74 · Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-77 · Command Injection CWE-78 · OS Command Injection

https://www.qnap.com/en/security-advisory/qsa-24-41

Signal Intelligence

Confidenceⓘ

92%

EPSS 7.93%

CVSS v4.0 9.5

CVSS v3.1 9.8

Mentions 4

Last Seen Nov 07, 2025

CNA Information

CNA Assigner

qnap

CNA Title

HBS 3 Hybrid Backup Sync

Analyst Note

CVE-2024-50388 was explicitly identified as a zero-day exploited at Pwn2Own 2024 (a live hacking competition). Multiple authoritative sources (BleepingComputer, CERT-EU) confirm zero-day exploitation, and QNAP released patches (v25.1.1.673+) in response to active exploitation at the event in December 2024, demonstrating exploitation preceded or coincided with patch availability.

Threat Actors 2

Hacking Team

apt_group 🇮🇹 IT

Mana Team

apt_group 🇨🇳 CN

Triage Info

Decided atMar 05, 2026

Published DateDec 06, 2024