TOCTOU Race Condition in QNAP Software Products
CVE-2024-53694

8.6HIGH

Key Information:

Vendor

QNAP
Status
Qvpn Device Client For Mac
Qsync For Mac
Qfinder Pro Mac
Vendor
CVE Published:
7 March 2025

What is CVE-2024-53694?

A time-of-check time-of-use (TOCTOU) race condition vulnerability has been identified in various QNAP software products, enabling local attackers with user access to potentially exploit the flaw. This could lead to unauthorized access to sensitive resources by taking advantage of timing discrepancies between system checks and resource usage. Users should promptly update to the latest versions of QVPN Device Client for Mac (2.2.5 and later), Qsync for Mac (5.1.3 and later), and Qfinder Pro Mac (7.11.1 and later) to mitigate this risk. For further details, visit QNAP's security advisory.

Affected Version(s)

Qfinder Pro Mac 7.11.x < 7.11.1

Qsync for Mac 5.1.x < 5.1.3

QVPN Device Client for Mac 2.2.x < 2.2.5

References

https://www.qnap.com/en/security-advisory/qsa-24-51

CVSS V4

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Mykola Grymalyuk
.
CVE-2024-53694 : TOCTOU Race Condition in QNAP Software Products