CVE-2024-53694

HIGH

QVPN Device Client for Mac <2.2.5, Qsync for Mac <5.1.3, Qfinder Pr...

Title source: llm

Description

A time-of-check time-of-use (TOCTOU) race condition vulnerability has been reported to affect several product versions. If exploited, the vulnerability could allow local attackers who have gained user access to gain access to otherwise unauthorized resources. We have already fixed the vulnerability in the following versions: QVPN Device Client for Mac 2.2.5 and later Qsync for Mac 5.1.3 and later Qfinder Pro Mac 7.11.1 and later

References (1)

[Various Sources] https://www.qnap.com/en/security-advisory/qsa-24-51

Scores

CVSS v4 8.6

EPSS 0.0007

EPSS Percentile 22.0%

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-367

Status published

Products (3)

QNAP Systems Inc./Qfinder Pro Mac 7.11.x - 7.11.1

QNAP Systems Inc./Qsync for Mac 5.1.x - 5.1.3

QNAP Systems Inc./QVPN Device Client for Mac 2.2.x - 2.2.5

Published Mar 07, 2025

Tracked Since Feb 18, 2026