CVE-2024-53694: QVPN Device Client, Qsync, Qfinder Pro
Description
A time-of-check time-of-use (TOCTOU) race condition vulnerability has been reported to affect several product versions. If exploited, the vulnerability could allow local attackers who have gained user access to gain access to otherwise unauthorized resources.
We have already fixed the vulnerability in the following versions:
QVPN Device Client for Mac 2.2.5 and later
Qsync for Mac 5.1.3 and later
Qfinder Pro Mac 7.11.1 and later
Classification
CVE ID: CVE-2024-53694
CVSS Base Severity: HIGH
CVSS Base Score: 8.6
CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Problem Types
CWE-367Affected Products
Vendor: QNAP Systems Inc., QNAP Systems Inc., QNAP Systems Inc.
Product: QVPN Device Client for Mac, Qsync for Mac, Qfinder Pro Mac
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.01% (probability of being exploited)
EPSS Percentile: 0.84% (scored less or equal to compared to others)
EPSS Date: 2025-04-05 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2024-53694https://www.qnap.com/en/security-advisory/qsa-24-51