QNAP Security Advisory<br/>Qlocker Ransomware <br/>Relative Path Traversal Vulnerability in QTS and QuTS hero

QNAP Security Advisory
Qlocker Ransomware
Relative Path Traversal Vulnerability in QTS and QuTS hero

  • Post comments:0 Comments
  • Reading time:2 mins read

QNAP® had published security enhancement against security vulnerabilities that could affect specific versions of QNAP products. Please use the following information and solutions to correct the security issues and vulnerabilities.

This advisory includes the following:

Qlocker Ransomware

Release date: May 21, 2021
Security ID: QSA-21-12
Severity: Critical
Affected products: QNAP NAS running HBS 3


A ransomware campaign targeting QNAP NAS began the week of April 19th, 2021. The ransomware known as Qlocker exploits CVE-2021-28799 to attack QNAP NAS running certain versions of HBS 3 (Hybrid Backup Sync).

Once a NAS is infected, the ransomware moves files on the NAS into password-protected 7z archives. Snapshots are also removed, and users are left with a !!!READ_ME.txt ransom note in each affected folder. To extract the files from the archives, victims would need to enter a password known only to the attacker.

We have already fixed the related vulnerability in the following versions of HBS 3:

  • QTS 4.5.2: HBS 3 v16.0.0415 and later
  • QTS 4.3.6: HBS 3 v3.0.210412 and later
  • QTS 4.3.3 and 4.3.4: HBS 3 v3.0.210411 and later
  • QuTS hero h4.5.1: HBS 3 v16.0.0419 and later
  • QuTScloud c4.5.1~c4.5.4: HBS 3 v16.0.0419 and later

QNAP NAS running HBS 2 and HBS 1.3 are not affected.<<Learn more>>

Relative Path Traversal Vulnerability in QTS and QuTS hero

Release date: May 21, 2021
Security ID: QSA-21-14
Severity: High
CVE identifier: CVE-2021-28798
Affected products: All QNAP NAS


A relative path traversal vulnerability has been reported to affect QNAP NAS running QTS and QuTS hero. If exploited, this vulnerability allows attackers to modify files that impact system integrity.

We have already fixed this vulnerability in the following versions:

  • QTS Build 20210406 and later
  • QTS Build 20210504 and later
  • QTS Build 20210416 and later
  • QuTS hero h4.5.2.1638 Build 20210414 and later

QNAP NAS running QTS 4.5.3 are not affected.<<Learn more>>

If you have any questions regarding this issue, please contact us at https://www.qnap.com/go/support-ticket/

Leave a Reply