CVE-2025-53594

EPSS 0.02%
Veröffentlicht 02.01.2026 15:18:26
Zuletzt bearbeitet 02.01.2026 16:45:26
Quelle security@qnapsecurity.com.tw
CVE-Watchlists
Login
Unerledigt
Login

A path traversal vulnerability has been reported to affect several product versions. If a local attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data.

We have already fixed the vulnerability in the following versions:
Qfinder Pro Mac 7.13.0 and later
Qsync for Mac 5.1.5 and later
QVPN Device Client for Mac 2.2.8 and later

Betroffene Produkte Warnungen 0 Metriken 2 CWE 3 Referenzen 4

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerQNAP Systems Inc.

≫

Produkt Qfinder Pro Mac

Default Statusunaffected

Version < 7.13.0

Version 7.13.x

Status affected

HerstellerQNAP Systems Inc.

≫

Produkt Qsync for Mac

Default Statusunaffected

Version < 5.1.5

Version 5.1.x

Status affected

HerstellerQNAP Systems Inc.

≫

Produkt QVPN Device Client for Mac

Default Statusunaffected

Version < 2.2.8

Version 2.2.x

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.047

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@qnapsecurity.com.tw	4.4	0	0	CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition

The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.

CWE-59 Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

https://www.qnap.com/en/security-advisory/qsa-25-55

https://nvd.nist.gov/vuln/detail/CVE-2025-53594

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-53594

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-53594

EUVD