Critical ASP.NET flaw hits QNAP NetBak PC Agent

   October 28, 2025  Posted in Securityaffairs
Share: XFacebookPinterestRedditVKDiggLinkedinMix

Critical ASP.NET flaw hits QNAP NetBak PC Agent

Critical ASP.NET flaw hits QNAP NetBak PC Agent

Pierluigi Paganini
Critical ASP.NET flaw hits QNAP NetBak PC Agent October 28, 2025

Critical ASP.NET flaw hits QNAP NetBak PC Agent

QNAP warns of critical ASP.NET flaw (CVE-2025-55315) in NetBak PC Agent, letting attackers hijack credentials or bypass security via HTTP smuggling.

QNAP urges users to patch a critical ASP.NET Core vulnerability, tracked as CVE-2025-55315 (CVSS score of 9.9), in its NetBak PC Agent for Windows. The flaw resides in the Kestrel server and lets low-privilege attackers hijack credentials or bypass front-end security via HTTP request smuggling.

“Inconsistent interpretation of http requests (‘http request/response smuggling’) in ASP.NET Core allows an authorized attacker to bypass a security feature over a network.” reads the advisory published by Microsoft. “An attacker who successfully exploited this vulnerability could smuggle another HTTP request and bypass front-end security controls or hijack other users’ credentials.”

Recently, Microsoft disclosed CVE-2025-55315 in ASP.NET Core, letting attackers bypass security via HTTP request smuggling, risking data access, file modification, or DoS.

“NetBak PC Agent installs and depends on Microsoft ASP.NET Core components during setup. Therefore, computers running NetBak PC Agent may contain an affected version of ASP.NET Core if the system has not been updated.” reads the advisory published by QNAP. “QNAP strongly recommends users ensure their Windows systems have the latest Microsoft ASP.NET Core updates installed.”

If exploited, an authenticated attacker can send crafted HTTP requests to access sensitive data, modify server files, or cause limited denial-of-service, the Taiwanese vendor states.

To address the issue, users can choose between two approaches. The first method involves reinstalling the NetBak PC Agent: uninstall the current version via Settings → Apps, then download and run the latest installer, which automatically updates the ASP.NET Core runtime components. The second method allows you to manually update ASP.NET Core by visiting the .NET 8.0 download page, installing the latest runtime hosting bundle (currently 8.0.21 as of October 2025), and then restarting your application or system.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Twitter)





Source link