TOCTOU Race Condition in QNAP Software Products
CVE-2024-53694
8.6HIGH
Key Information:
- Vendor
- QNAP
- Vendor
- CVE Published:
- 7 March 2025
Summary
A time-of-check time-of-use (TOCTOU) race condition vulnerability has been identified in various QNAP software products, enabling local attackers with user access to potentially exploit the flaw. This could lead to unauthorized access to sensitive resources by taking advantage of timing discrepancies between system checks and resource usage. Users should promptly update to the latest versions of QVPN Device Client for Mac (2.2.5 and later), Qsync for Mac (5.1.3 and later), and Qfinder Pro Mac (7.11.1 and later) to mitigate this risk. For further details, visit QNAP's security advisory.
Affected Version(s)
Qfinder Pro Mac 7.11.x < 7.11.1
Qsync for Mac 5.1.x < 5.1.3
QVPN Device Client for Mac 2.2.x < 2.2.5
References
CVSS V4
Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Mykola Grymalyuk