- CVE-2025-55315 allows HTTP request smuggling in ASP.NET Core (severity 9.9/10)
- QNAP urges NetBak PC Agent users to patch affected ASP.NET Core components
- Updates available via reinstall or manual .NET 8.0 Runtime installation
QNAP is warning its customers to patch a critical ASP.NET Core vulnerability, and thus protect their NetBak PC Agent installations.
In a security advisory, the NAS device maker said Microsoft recently disclosed a bug affecting ASP.NET Core that “could allow an attacker to bypass security controls through HTTP Request Smuggling.”
What QNAP is referring to is an “HTTP request smuggling bug”, a vulnerability tracked as CVE-2025-55315, with a severity score of 9.9/10 (critical). It affects the Kestrel ASP.NET Core web server and allows unauthenticated attackers to “smuggle” secondary HTTP requests within the original request - and was described as the “highest ever” vulnerability plaguing its ASP.NET Core product.
Two patching methods
“If successfully exploited, an authenticated attacker could send specially crafted HTTP requests to the web server, resulting in unauthorized access to sensitive data, modification of server files, or limited denial-of-service conditions,” QNAP explained.
The company further stated that since NetBak PC Agent install and depend on Microsoft ASP.NET Core components during setup, they could be affected by this issue.
“QNAP strongly recommends users ensure their Windows systems have the latest Microsoft ASP.NET Core updates installed,” the advisory reads.
There are two methods to update ASP.NET Core, QNAP further explains. The first one is to reinstall NetBak PC Agent (by first uninstalling the existing solution, then downloading and installing the latest version), while the second one is to manually update ASP.NET Core. This can be done by visiting the .NET 8.0 download page, and then downloading and installing the latest ASP.NET Core Runtime (Hosting Bundle).
“As of October 2025, the latest version is 8.0.21,” the company confirmed. The last step is to either restart the application or the entire system.
Microsoft has also released security updates for Microsoft Visual Studio 2022, ASP.NET Core 2.3, ASP.NET Core 8.0, and ASP.NET Core 9.0, as well as the Microsoft.AspNetCore.Server.Kestrel.Core package for ASP.NET Core 2.x apps.
Via BleepingComputer
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
