TOCTOU Race Condition in QNAP Software Products
CVE-2024-53694

8.6HIGH

Key Information:

Vendor: QNAP
Status: Qvpn Device Client For Mac; Qsync For Mac; Qfinder Pro Mac
Vendor: CVE Published:; 7 March 2025

Summary

A time-of-check time-of-use (TOCTOU) race condition vulnerability has been identified in various QNAP software products, enabling local attackers with user access to potentially exploit the flaw. This could lead to unauthorized access to sensitive resources by taking advantage of timing discrepancies between system checks and resource usage. Users should promptly update to the latest versions of QVPN Device Client for Mac (2.2.5 and later), Qsync for Mac (5.1.3 and later), and Qfinder Pro Mac (7.11.1 and later) to mitigate this risk. For further details, visit QNAP's security advisory.

Affected Version(s)

Qfinder Pro Mac 7.11.x < 7.11.1

Qsync for Mac 5.1.x < 5.1.3

QVPN Device Client for Mac 2.2.x < 2.2.5

References

https://www.qnap.com/en/security-advisory/qsa-24-51

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Timeline

Vulnerability published
Mar 7, 2025
Vulnerability Reserved
Nov 22, 2024

Credit

Mykola Grymalyuk