- CVE-2025-55315 allows HTTP request smuggling in ASP.NET Core (Severity 9.9/10)
- QNAP urges NetBak PC Agent users to fix affected ASP.NET Core components
- Updates available through reinstallation or manual installation of .NET 8.0 runtime
QNAP is warning customers to patch a critical ASP.NET Core vulnerability and protect their NetBak PC Agent installations.
In a security advisory, the NAS device maker said Microsoft recently disclosed a bug affecting ASP.NET Core that “could allow an attacker to bypass security controls via smuggling HTTP requests.”
What QNAP is referring to is an “HTTP request smuggling bug,” a vulnerability identified as CVE-2025-55315, with a severity score of 9.9/10 (critical). It affects the Kestrel ASP.NET Core web server and allows unauthenticated attackers to “pass” secondary HTTP requests into the original request – and has been described as the “highest ever recorded” vulnerability affecting its ASP.NET Core product.
Two patch methods
“If successfully exploited, an authenticated attacker could send specially crafted HTTP requests to the web server, resulting in unauthorized access to sensitive data, modification of server files, or limited denial of service conditions,” QNAP explained.
The company further stated that since NetBak PC Agent is installed and depends on Microsoft ASP.NET Core components during installation, they could be affected by this issue.
“QNAP strongly recommends that users ensure that their Windows systems have the latest updates to Microsoft ASP.NET Core,” the advisory states.
There are two methods to update ASP.NET Core, QNAP further explains. The first is to reinstall NetBak PC Agent (by first uninstalling the existing solution and then downloading and installing the latest version), while the second is to manually update ASP.NET Core. This can be done by visiting the .NET 8.0 download page and then downloading and installing the latest ASP.NET Core Runtime (Hosting Bundle).
“As of October 2025, the latest version is 8.0.21,” the company confirmed. The last step is to restart the application or the entire system.
Microsoft also released security updates for Microsoft Visual Studio 2022, ASP.NET Core 2.3, ASP.NET Core 8.0, and ASP.NET Core 9.0, as well as the Microsoft.AspNetCore.Server.Kestrel.Core package for ASP.NET Core 2.x applications.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
