On 29 October 2024, QNAP issued a security advisory regarding a critical OS command injection vulnerability, tracked as CVE-2024-50388. Discovered by researchers at the Pwn2Own conference, this vulnerability affects HBS 3 Hybrid Backup Sync, a backup and disaster recovery solution used by organisations for secure data protection across multiple locations. The flaw allows remote attackers to execute arbitrary commands.
Arctic Wolf has not observed any instances of this vulnerability being exploited in the wild, nor are we aware of any Proof of Concept (PoC) exploits being published at this time. In the past, several ransomware actors such as Qlocker have targeted QNAP products.Given the critical severity of CVE-2024-50388 and the appeal of HBS 3 Hybrid Backup Sync as a target for threat actors—particularly ransomware groups—threat actors may attempt to exploit this vulnerability in the near future.
Recommendation for CVE-2024-50388
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version.
| Product | Affected Version | Fixed Version |
| HBS 3 Hybrid Backup Sync | 25.1.x | 25.1.1.673 and later |
Please follow your organisation’s patching and testing guidelines to minimise potential operational impact.
