CVE-2025-62842
Path Traversal Vulnerability in HBS 3 Hybrid Backup Sync Allows File Access
Publication date: 2026-01-02
Last updated on: 2026-02-05
Assigner: QNAP Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| qnap | hbs_3_hybrid_backup_sync | From 26.2.0.938 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an external control of file name or path issue in HBS 3 Hybrid Backup Sync. If an attacker gains access to the local network, they can exploit this vulnerability to read or modify files or directories on the affected system.
How can this vulnerability impact me? :
The vulnerability can allow an attacker with local network access to read or modify files or directories, potentially leading to unauthorized data access, data tampering, or disruption of backup operations.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update HBS 3 Hybrid Backup Sync to version 26.2.0.938 or later, where the vulnerability has been fixed. Additionally, restrict local network access to trusted users only to reduce the risk of exploitation.