Taiwan-based network-attached storage (NAS) maker QNAP has addressed a critical security vulnerability. The improper access control vulnerability tracked as CVE-2021-28809 was found by Ta-Lun Yen of TXOne IoT/ICS Security Research Labs in HBS 3 Hybrid Backup Sync. The vulnerability is caused by buggy software that does not correctly restrict attackers from gaining access to system resources allowing them escalate privileges, execute commands remotely, or read sensitive info without authorization. The company says that the security flaw is already fixed in the following HBS versions and advises customers to update the application.
Source: https://www.bleepingcomputer.com/news/security/qnap-fixes-critical-bug-in-nas-backup-disaster-recovery-app/