A critical vulnerability, tracked as CVE-2025-55315, has been identified in QNAP’s NetBak PC Agent, stemming from a flaw within Microsoft’s ASP.NET Core framework. The issue allows attackers to exploit HTTP Request Smuggling (CWE-444) techniques to bypass essential security controls, potentially granting unauthorized access to sensitive backup data and system files.
According to the official security advisory (Security ID: QSA-25-44) published on October 24, 2025, QNAP confirmed that systems running NetBak PC Agent are at risk because the software installs and relies on the vulnerable ASP.NET Core runtime components.
This flaw has been rated “Important” in severity for QNAP users, while external security researchers have classified the underlying vulnerability as critical, with a CVSS score of up to 9.9.
How CVE-2025-55315 Affects NetBak PC Agent
The vulnerability resides in the way ASP.NET Core handles HTTP requests. By crafting specially formed requests, an authenticated attacker could exploit inconsistencies in how the web server interprets incoming messages. Successful exploitation could lead to bypassing security protections, accessing confidential backup data, altering server files, or even causing limited denial-of-service conditions.
Because NetBak PC Agent depends on ASP.NET Core during both installation and runtime, any unpatched version of the framework installed alongside the software leaves systems exposed. Backup servers running outdated ASP.NET Core components are particularly vulnerable, putting backup integrity and data availability at risk.
QNAP emphasized that the vulnerability requires authentication, meaning attackers must already have valid credentials or access. However, insider threats or compromised accounts within corporate networks remain realistic and dangerous attack vectors. Once inside, a malicious actor could leverage CVE-2025-55315 to escalate privileges or move laterally across the network.
QNAP’s Recommendations and Patch Guidance
QNAP has issued two main methods to address the vulnerability in NetBak PC Agent:
Reinstall NetBak PC Agent
- Go to Settings → Apps → Installed apps, and uninstall the current version of NetBak PC Agent.
- Download the latest version from QNAP’s official website.
- Reinstalling the agent automatically installs the latest ASP.NET Core runtime components.
Manually Update ASP.NET Core
- Visit Microsoft’s official .NET 8.0 download page.
- Download and install the latest ASP.NET Core Runtime (Hosting Bundle) — version 8.0.21 as of October 2025.
- Restart the affected applications or system to ensure the updates are applied correctly.
QNAP further advises administrators to test patches in controlled environments before organization-wide deployment. Ensuring that all systems running NetBak PC are uniformly updated helps prevent inconsistent security configurations across enterprise networks.
Lessons from CVE-2025-55315
The discovery of CVE-2025-55315 highlights the persistent cybersecurity reality that vulnerabilities in foundational frameworks like ASP.NET Core can ripple outward to affect multiple dependent applications. In this case, NetBak PC Agent’s reliance on these components links the safety of backup infrastructure directly to Microsoft’s update cadence.
Organizations relying on NetBak PC for protecting data should act immediately to mitigate the risk. Beyond applying patches, implementing regular vulnerability scanning, automated patch management, and periodic security audits can help prevent similar exposures.
