On October 29, 2024, QNAP issued a security advisory regarding a critical OS command injection vulnerability, tracked as CVE-2024-50388. Discovered by researchers at the Pwn2Own conference, this vulnerability affects HBS 3 Hybrid Backup Sync, a backup and disaster recovery solution used by organizations for secure data protection across multiple locations. The flaw allows remote attackers to execute arbitrary commands.
Arctic Wolf has not observed any instances of this vulnerability being exploited in the wild, nor are we aware of any Proof of Concept (PoC) exploits being published at this time. In the past, several ransomware actors such as Qlocker have targeted QNAP products.Given the critical severity of CVE-2024-50388 and the appeal of HBS 3 Hybrid Backup Sync as a target for threat actors—particularly ransomware groups—threat actors may attempt to exploit this vulnerability in the near future.
Recommendation for CVE-2024-50388
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version.
| Product | Affected Version | Fixed Version |
| HBS 3 Hybrid Backup Sync | 25.1.x | 25.1.1.673 and later |
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.
References
Stay up to date with the latest security incidents and trends from Arctic Wolf Labs.
Explore the latest global threats with the 2024 Arctic Wolf Labs Threats Report.
