QNAP patches a critical zero-day vulnerability in NAS devices post-Pwn2Own 2024 hack, boosting NAS security with updates for HBS 3 Backup Sync

Continue reading
QNAP has addressed a critical zero-day vulnerability exploited by security researchers to hack a TS-464 NAS device during the Pwn2Own Ireland 2024 competition. This vulnerability, designated CVE-2024-50388, is rooted in an OS command injection weakness in the HBS 3 Hybrid Backup Sync software, which serves as QNAP's solution for disaster recovery and data backup.
The flaw in question, CVE-2024-50388, was identified in HBS 3 Hybrid Backup Sync version 25.1.x. The vulnerability poses a significant risk, as it could enable remote attackers to execute arbitrary commands on affected devices, potentially gaining unauthorized access.
> QNAP Security Advisory: > "An OS command injection vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If exploited, the vulnerability could allow remote attackers to execute arbitrary commands," QNAP said in a Tuesday security advisory.
QNAP has issued a patch in HBS 3 Hybrid Backup Sync version 25.1.1.673 and later to address this critical vulnerability. To protect your NAS device from potential exploits, it is essential to ensure your HBS 3 installation is up-to-date.
The vulnerability came to light during the Pwn2Own Ireland 2024 competition, where security researchers Ha The Long and Ha Anh Hoang from Viettel Cyber Security successfully leveraged it to gain administrative privileges on QNAP’s TS-464 NAS device.
Notably, Team Viettel secured victory in the Pwn2Own competition, held over four days and concluded on October 25, 2024. The team won substantial prizes, contributing to a total pool exceeding $1 million, by disclosing over 70 zero-day vulnerabilities across various devices and applications.
QNAP’s response to this zero-day vulnerability is considered swift, with the patch released five days after the exploit was demonstrated. Typically, vendors participating in Pwn2Own are granted a 90-day window to address reported vulnerabilities before the Zero Day Initiative (ZDI), run by Trend Micro, publishes detailed information on the vulnerabilities disclosed during the contest.
QNAP devices have been a frequent target for cyber threats over the years, particularly by ransomware gangs due to the sensitive personal and organizational data they store. Below are some notable historical vulnerabilities and attacks against QNAP devices:
In 2021, QNAP removed a backdoor account in the HBS 3 Hybrid Backup Sync. This vulnerability was exploited in conjunction with an SQL injection vulnerability (CVE-2020-36195) in QNAP’s Multimedia Console and Media Streaming Add-On. Attackers used these flaws to deploy Qlocker ransomware, encrypting files on Internet-exposed NAS devices.
QNAP NAS devices faced extensive ransomware attacks leveraging known security flaws. In June 2020, QNAP warned users of eCh0raix (QNAPCrypt) ransomware, which exploited vulnerabilities in the Photo Station app. By mid-2021, attackers using eCh0raix reemerged, taking advantage of weak user passwords and unresolved vulnerabilities.
AgeLocker ransomware targeted NAS devices running outdated Photo Station software versions. This attack highlighted the risks associated with publicly exposed NAS devices that lack regular updates or security patches.
QNAP NAS devices continue to be attractive to ransomware groups due to the personal and sensitive nature of the data stored on these systems. Cybercriminals often leverage this data to demand ransoms, knowing that victims may pay to regain access to their critical files.
QNAP’s quick response in patching the HBS 3 zero-day vulnerability shows a proactive approach to securing their systems against emerging threats. As NAS devices remain a popular yet viable target for threat actors, keeping such devices updated with the latest security patches often remains non-negotiable for preventing exploitation and minimizing data loss.

Splunk disclosed CVE-2026-20253, a critical pre-auth RCE flaw in Splunk Enterprise (CVSS 9.8) from insecure MongoDB defaults. Patches released; upgrade to 9.1.8, 9.2.5, or 9.3.2.