Security bulletin with exclamation point symbol in the middle of the screen
Security bulletin with exclamation point symbol in the middle of the screen

CVE-2024-50388: Critical OS Command Injection Vulnerability in QNAP HBS 3 Hybrid Backup Sync

On October 29, 2024, QNAP issued a security advisory regarding a critical OS command injection vulnerability, tracked as CVE-2024-50388. Find Arctic Wolf’s recommendations.
Security bulletin with exclamation point symbol in the middle of the screen
6 min read

On October 29, 2024, QNAP issued a security advisory regarding a critical OS command injection vulnerability, tracked as CVE-2024-50388. Discovered by researchers at the Pwn2Own conference, this vulnerability affects HBS 3 Hybrid Backup Sync, a backup and disaster recovery solution used by organizations for secure data protection across multiple locations. The flaw allows remote attackers to execute arbitrary commands. 

Arctic Wolf has not observed any instances of this vulnerability being exploited in the wild, nor are we aware of any Proof of Concept (PoC) exploits being published at this time. In the past, several ransomware actors such as Qlocker have targeted QNAP products.Given the critical severity of CVE-2024-50388 and the appeal of HBS 3 Hybrid Backup Sync as a target for threat actors—particularly ransomware groups—threat actors may attempt to exploit this vulnerability in the near future. 

Recommendation for CVE-2024-50388

Upgrade to Latest Fixed Version

Arctic Wolf strongly recommends that customers upgrade to the latest fixed version. 

Product  Affected Version  Fixed Version 
HBS 3 Hybrid Backup Sync  25.1.x  25.1.1.673 and later 

Please follow your organization’s patching and testing guidelines to minimize potential operational impact. 

References 

Stay up to date with the latest security incidents and trends from Arctic Wolf Labs. 

Explore the latest global threats with the 2024 Arctic Wolf Labs Threats Report

Share this post: