CVE-2025-62842

HBS 3 Hybrid Backup Sync

CVSS 7 HIGHEPSS 0.2%CWE-73

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 7EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

02 Jan 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

An external control of file name or path vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If an attacker gains local network access, they can then exploit the vulnerability to read or modify files or directories. We have already fixed the vulnerability in the following version: HBS 3 Hybrid Backup Sync 26.2.0.938 and later

CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

QNAP Systems Inc. · HBS 3 Hybrid Backup Sync

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.qnap.com/en/security-advisory/qsa-25-46