Login Sign Up

CVE-2021-28798

8.8 HIGH
Path Traversal

📋 TL;DR

This CVE describes a relative path traversal vulnerability in QNAP NAS devices running QTS and QuTS hero operating systems. If exploited, attackers can modify system files, potentially compromising system integrity. Affected users are those running vulnerable versions of QNAP NAS software.

💻 Affected Systems

Products:
  • QNAP NAS running QTS
  • QNAP NAS running QuTS hero
Versions: QTS versions before 4.5.2.1630 Build 20210406, 4.3.6.1663 Build 20210504, and 4.3.3.1624 Build 20210416; QuTS hero versions before h4.5.2.1638 Build 20210414
Operating Systems: QTS, QuTS hero
Default Config Vulnerable: ⚠️ Yes
Notes: QTS 4.5.3 is not affected. All other versions before the fixed builds are vulnerable.

📦 What is this software?

Qts by Qnap

View all CVEs affecting Qts →

Qts by Qnap

View all CVEs affecting Qts →

Qts by Qnap

View all CVEs affecting Qts →

Quts Hero by Qnap

View all CVEs affecting Quts Hero →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify critical system files, install persistent malware, gain full system control, or render the NAS inoperable.

🟠

Likely Case

Attackers modify configuration files to gain unauthorized access, escalate privileges, or disrupt NAS services.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the NAS device itself without lateral movement.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires some level of access to the NAS, but path traversal vulnerabilities are commonly exploited once discovered.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: QTS 4.5.2.1630 Build 20210406 or later, QTS 4.3.6.1663 Build 20210504 or later, QTS 4.3.3.1624 Build 20210416 or later, QuTS hero h4.5.2.1638 Build 20210414 or later

Vendor Advisory: https://www.qnap.com/zh-tw/security-advisory/qsa-21-14

Restart Required: Yes

Instructions:

1. Log into QNAP NAS web interface. 2. Go to Control Panel > System > Firmware Update. 3. Check for updates and install the latest firmware. 4. Reboot the NAS after update completes.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate QNAP NAS from internet and restrict access to trusted networks only

Access Control Restrictions

all

Limit user permissions and disable unnecessary services on the NAS

🧯 If You Can't Patch

  • Disable all internet-facing services and ports on the NAS
  • Implement strict network firewall rules to limit access to the NAS

🔍 How to Verify

Check if Vulnerable:

Check QTS/QuTS hero version in Control Panel > System > Firmware Update

Check Version:

ssh admin@nas_ip 'cat /etc/config/uLinux.conf | grep version'

Verify Fix Applied:

Verify firmware version matches or exceeds the patched versions listed in the advisory

📡 Detection & Monitoring

Log Indicators:

  • Unusual file modification patterns in system logs
  • Failed path traversal attempts in web server logs

Network Indicators:

  • Unusual outbound connections from NAS
  • Unexpected file transfer patterns

SIEM Query:

source="qnap_nas" AND (event_type="file_modification" OR path="../")

📊 Metadata

CVE ID: CVE-2021-28798
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-23
Published: May 21, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-28798, you might also want to check these:

CVE-2024-24578 10.0

CVE-2024-24578 is an unauthenticated remote code execution vulnerability in RaspberryMatic/OCCU IoT ...

Same vulnerability type (CWE-23)
CVE-2023-3701 9.9

Aqua Drive version 2.4 has a relative path traversal vulnerability that allows authenticated users t...

Same vulnerability type (CWE-23)
CVE-2024-3025 9.9

This path traversal vulnerability in mintplex-labs/anything-llm allows attackers to read or delete f...

Same vulnerability type (CWE-23)