- CVE-2025-55315 allows HTTP request smuggling in ASP.NET Core (severity 9.9/10)
- QNAP urges NetBak PC Agent users to patch affected ASP.NET Core components
- Updates available by reinstalling or manually installing the .NET 8.0 Runtime
QNAP warns its customers to patch a critical ASP.NET Core vulnerability to protect their NetBak PC Agent installations.
In a security advisory, the NAS device maker said that Microsoft recently disclosed a bug affecting ASP.NET Core that “could allow an attacker to bypass security controls through HTTP request smuggling.”
What QNAP is referring to is an “HTTP request smuggling bug,” a vulnerability tracked as CVE-2025-55315, with a severity score of 9.9/10 (critical). It affects the Kestrel ASP.NET Core web server and allows unauthenticated attackers to “smuggle” secondary HTTP requests into the original request, and was described as the “highest ever” vulnerability affecting its ASP.NET Core product.
Two patching methods
“If successfully exploited, an authenticated attacker could send specially crafted HTTP requests to the web server, resulting in unauthorized access to sensitive data, modification of server files, or limited denial of service conditions,” QNAP explained.
The company further stated that since NetBak PC Agent is installed and depends on Microsoft ASP.NET Core components during installation, they could be affected by this issue.
“QNAP strongly recommends users ensure that their Windows systems have the latest Microsoft ASP.NET Core updates installed,” the advisory reads.
There are two methods to update ASP.NET Core, QNAP explains in more detail. The first is to reinstall NetBak PC Agent (first by uninstalling the existing solution and then downloading and installing the latest version), while the second is to manually update ASP.NET Core. This can be done by visiting the .NET 8.0 download page and then downloading and installing the latest version of ASP.NET Core Runtime (hosting package).
“As of October 2025, the latest version is 8.0.21,” the company confirmed. The last step is to restart the application or the entire system.
Microsoft also released security updates for Microsoft Visual Studio 2022, ASP.NET Core 2.3, ASP.NET Core 8.0, and ASP.NET Core 9.0, as well as the Microsoft.AspNetCore.Server.Kestrel.Core package for ASP.NET Core 2.x applications.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
