Path Traversal Vulnerability in QNAP Products
CVE-2025-53594

4.4MEDIUM

Key Information:

Vendor: QNAP
Status: Qfinder Pro Mac; Qsync For Mac; Qvpn Device Client For Mac
Vendor: CVE Published:; 2 January 2026

What is CVE-2025-53594?

A path traversal vulnerability has been identified in multiple QNAP products, allowing local attackers with user accounts to exploit the flaw. By leveraging this vulnerability, attackers could gain unauthorized access to sensitive files and system data that were not intended to be exposed. This issue necessitates immediate attention as the potential for information leaks could significantly compromise system integrity.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Qfinder Pro Mac 7.13.x < 7.13.0

Qsync for Mac 5.1.x < 5.1.5

QVPN Device Client for Mac 2.2.x < 2.2.8

References

https://www.qnap.com/en/security-advisory/qsa-25-55

CVSS V4

Score:

4.4

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Jan 2, 2026
Vulnerability Reserved
Jul 4, 2025

Credit

Michael Cowell

JSON

QNAP

What is CVE-2025-53594?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V4

Timeline

Credit

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.