- CVE-2025-55315 allows HTTP request forging in ASP.NET Core (Severity 9.9/10)
- QNAP encourages NetBak PC Agent users to patch affected ASP.NET Core components
- Updates available via reinstallation or manual .NET 8.0 Runtime installation
QNAP is warning its customers to patch a critical ASP.NET Core vulnerability and thereby protect their NetBak PC Agent installations.
In a security advisory, the NAS device maker said Microsoft recently disclosed a bug affecting ASP.NET Core that “could allow an attacker to bypass security controls through HTTP request spoofing.”
What QNAP is referring to is an “HTTP request smuggling flaw,” a vulnerability tracked as CVE-2025-55315, with a severity score of 9.9/10 (Critical). It affects the Kestrel ASP.NET Core web server and allows unauthorized attackers to “smuggle” secondary HTTP requests within the original request – and was described as the “highest ever” vulnerability to plague its ASP.NET Core product.
Two patching methods
“If successfully exploited, an authenticated attacker can send specially crafted HTTP requests to the web server, resulting in unauthorized access to sensitive data, modification of server files, or limited denial of service conditions,” explained QNAP.
The company further stated that since NetBak PC Agent installs and relies on Microsoft ASP.NET Core components during setup, they may be affected by this issue.
“QNAP strongly recommends that users ensure their Windows systems have the latest Microsoft ASP.NET Core updates installed,” the guidance reads.
There are two methods to update ASP.NET Core, QNAP further explains. The first is to reinstall the NetBak PC Agent (by first uninstalling the existing solution, then downloading and installing the latest version), while the second is to update ASP.NET Core manually. This can be done by visiting the .NET 8.0 download page and then downloading and installing the latest ASP.NET Core Runtime (Hosting Bundle).
“As of October 2025, the latest version is 8.0.21,” the company confirmed. The last step is to either restart the application or the entire system.
Microsoft has also released security updates for Microsoft Visual Studio 2022, ASP.NET Core 2.3, ASP.NET Core 8.0, and ASP.NET Core 9.0, as well as the Microsoft.AspNetCore.Server.Kestrel.Core package for ASP.NET Core 2.x apps.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
