Security ID : QSA-25-46
Multiple Vulnerabilities in HBS 3 Hybrid Backup Sync (PWN2ONW 2025)
Release date : November 8, 2025
CVE identifier : CVE-2025-62840 | CVE-2025-62842 | ZDI-CAN-28426 | ZDI-CAN-28428
Affected products: HBS 3 Hybrid Backup Sync 26.1.x and earlier
Severity
Critical
Status
Resolved
Summary
Multiple vulnerabilities have been reported to affect HBS 3 Hybrid Backup Sync. We have already fixed the vulnerabilities in the following version:
- CVE-2025-62840: Generation of error message containing sensitive information vulnerability, If an attacker gains local network access, they can then exploit the vulnerability to read application data.
- CVE-2025-62842: External control of file name or path vulnerability, If an attacker gains local network access, they can then exploit the vulnerability to read or modify files or directories.
| Affected Product | Fixed Version |
| HBS 3 Hybrid Backup Sync 26.1.x and earlier | HBS 3 Hybrid Backup Sync 26.2.0.938 and later |
Recommendation
To fix the vulnerabilities, we recommend updating HBS 3 Hybrid Backup Sync to the latest version.
For increased security, we also recommend users to change all passwords.
Updating HBS 3 Hybrid Backup Sync
- Log on to QTS or QuTS hero as an administrator.
- Open App Center and then click
.
A search box appears. - Type "HBS 3 Hybrid Backup Sync" and then press ENTER.
HBS 3 Hybrid Backup Sync appears in the search results. - Click Update.
A confirmation message appears.
Note: The Update button is not available if your HBS 3 Hybrid Backup Sync is already up to date. - Click OK.
The system updates the application.
Attachment
Acknowledgements: Pwn2Own 2025 - Team DDOS
Revision History:
V1.0 (November 8, 2025) - Published
V1.1 (January 3, 2026) - Added more details
