Security ID : QSA-24-51
Vulnerability in QVPN Device Client, Qsync Client, and Qfinder Pro for Mac
Release date : March 8, 2025
CVE identifier : CVE-2024-53694
Affected products: QVPN Device Client for Mac 2.2.x, Qsync Client for Mac 5.1.x, Qfinder Pro for Mac 7.11.x
Severity
Moderate
Status
Resolved
Summary
A time-of-check time-of-use (TOCTOU) race condition vulnerability has been reported to affect several utility versions. If exploited, the vulnerability could allow local attackers who have gained user access to also gain access to otherwise unauthorized resources.
We have already fixed the vulnerability in the following versions:
| Affected Product | Fixed Version |
| QVPN Device Client for Mac 2.2.x | QVPN Device Client for Mac 2.2.5 and later |
| Qsync Client for Mac 5.1.x | Qsync Client for Mac 5.1.3 and later |
| Qfinder Pro for Mac 7.11.x | Qfinder Pro for Mac 7.11.1 and later |
Recommendation
To secure your device, we recommend regularly updating your QNAP utilities to the latest versions to benefit from vulnerability fixes. You can check the QNAP Utilities page to see the latest updates available to your device operating system.
Attachment
Acknowledgements: Mykola Grymalyuk
Revision History:
V1.0 (March 8, 2025) - Published
