Primary

Context

QNAP QVPN, Qsync, and Qfinder Pro for Mac TOCTOU Race Condition Vulnerability

Vulnerability

Patched

A time-of-check time-of-use (TOCTOU) race condition vulnerability has been identified in QNAP QVPN Device Client for Mac (versions 2.2.x), Qsync Client for Mac (versions 5.1.x), and Qfinder Pro for Mac (versions 7.11.x). This vulnerability allows local attackers with user access to gain unauthorized access to certain resources.

Impact

Exploitation of this vulnerability could lead to unauthorized access to resources.

Remediation

Users are advised to update to QVPN Device Client for Mac 2.2.5 or later, Qsync Client for Mac 5.1.3 or later, and Qfinder Pro for Mac 7.11.1 or later. The latest versions can be downloaded from the QNAP Utilities page.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

5.0

exploitability

2.9

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

5.0

exploitability

2.9

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

QNAP QVPN, Qsync, and Qfinder Pro for Mac TOCTOU Race Condition Vulnerability

Vulnerability

Impact

Remediation

Affected Products

QNAP Qfinder Pro

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating