Security ID : QSA-25-55
Vulnerability in Qfinder Pro, Qsync, and QVPN Device Client (for Mac)
Release date : January 3, 2026
CVE identifier : CVE-2025-53594
Affected products: Qfinder Pro (for Mac) 7.13.x, Qsync (for Mac) 5.1.x, QVPN Device Client (for Mac) 2.2.x
Severity
Moderate
Status
Resolved
Summary
A path traversal vulnerability has been reported to affect several utilities. If a local attacker gains access to a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data.
We have already fixed the vulnerability in the following utilities and versions:
| Affected Product | Fixed Version |
| Qfinder Pro (for Mac) 7.13.x | Qfinder Pro (for Mac) 7.13.0 and later |
| Qsync (for Mac) 5.1.x | Qsync (for Mac) 5.1.5 and later |
| QVPN Device Client (for Mac) 2.2.x | QVPN Device Client (for Mac) 2.2.8 and later |
Recommendation
To secure your device, we recommend regularly updating your QNAP utilities to the latest versions to benefit from vulnerability fixes. You can check the QNAP Utilities page to see the latest updates available to your device operating system.
Attachment
Acknowledgements: Michael Cowell
Revision History:
V1.0 (January 3, 2026) - Published
