CVE-2025-62840
Unknown Unknown - Not Provided
Information Disclosure via Error Messages in HBS 3 Hybrid Backup Sync

Publication date: 2026-01-02

Last updated on: 2026-02-05

Assigner: QNAP Systems, Inc.

Description
A generation of error message containing sensitive information vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If an attacker gains local network access, they can then exploit the vulnerability to read application data. We have already fixed the vulnerability in the following version: HBS 3 Hybrid Backup Sync 26.2.0.938 and later
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-02
Last Modified
2026-02-05
Generated
2026-06-16
AI Q&A
2026-01-02
EPSS Evaluated
2026-06-14
NVD
CVE-2025-62840
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
qnap hbs_3_hybrid_backup_sync to 26.2.0.938 (exc)
qnap hbs_3_hybrid_backup_sync 26.2.0.938
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-209 The product generates an error message that includes sensitive information about its environment, users, or associated data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in QNAP's HBS 3 Hybrid Backup Sync involves the generation of error messages that contain sensitive information. An attacker who gains local network access can exploit this flaw to read application data, potentially exposing confidential information. The issue affects versions 26.1.x and earlier and has been fixed in version 26.2.0.938 and later. [1]

Impact Analysis

If exploited, this vulnerability allows an attacker with local network access to read sensitive application data, which could lead to unauthorized disclosure of confidential information. This can compromise the security and privacy of your data and potentially lead to further attacks or data breaches. [1]

Mitigation Strategies

To mitigate this vulnerability, immediately update HBS 3 Hybrid Backup Sync to version 26.2.0.938 or later. The update can be done by logging into QTS or QuTS hero as an administrator, accessing the App Center, searching for "HBS 3 Hybrid Backup Sync," and applying the update if available. Additionally, it is recommended to change all passwords to enhance security. [1]

Compliance Impact

The vulnerability allows an attacker with local network access to read application data due to error messages containing sensitive information. This exposure of sensitive data could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information. Therefore, if exploited, this vulnerability may result in violations of these standards by compromising data confidentiality. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62840. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart