CVE-2025-53594
Path Traversal in QNAP Mac Clients Allows Unauthorized File Access
Publication date: 2026-01-02
Last updated on: 2026-01-02
Assigner: QNAP Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| qnap | qfinder_pro | From 7.13.0 (inc) |
| qnap | qsync | From 5.1.5 (inc) |
| qnap | qvpn_device_client | From 2.2.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-59 | The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. |
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CWE-367 | The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-53594 is a path traversal vulnerability in QNAP utilities for Mac (Qfinder Pro, Qsync, and QVPN Device Client). A local attacker who has access to a user account can exploit this flaw to read files or system data that they should not be able to access. [1]
How can this vulnerability impact me? :
This vulnerability can allow a local attacker with user account access to read unauthorized files or sensitive system data, potentially leading to information disclosure or further attacks. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update your QNAP utilities for Mac to the fixed versions: Qfinder Pro to version 7.13.0 or later, Qsync to version 5.1.5 or later, and QVPN Device Client to version 2.2.8 or later. Regularly updating these utilities to the latest versions is advised to prevent exploitation. [1]