QNAP has issued an urgent advisory for users to patch a significant vulnerability in ASP.NET Core, affecting NetBak PC Agent. The flaw, identified as CVE-2025-55315, is an HTTP request smuggling vulnerability in the Kestrel web server with a CVSS score of 9.9. This security issue could allow unauthorized access or modifications to server data, and potential denial-of-service attacks.
Understanding the Vulnerability
The CVE-2025-55315 vulnerability poses a critical risk due to its ability to let unauthenticated attackers transmit additional malicious HTTP requests within a primary request. This can result in unauthorized data access or modifications on affected servers. The vulnerability impacts systems where NetBak PC Agent depends on Microsoft ASP.NET Core components during installation.
Recommended Update Actions
QNAP strongly recommends users to update their systems to mitigate this vulnerability. There are two main ways to update:
- Reinstall NetBak PC Agent by uninstalling the existing version and downloading the latest release.
- Manually update ASP.NET Core by downloading the latest .NET 8.0 ASP.NET Core Runtime (Hosting Bundle) as of 2025-10-01, the version is 8.0.21, and installing it on the system.
After the update, users should restart either the application or the complete system to ensure all changes take effect.
Additional Security Updates
Microsoft has also rolled out crucial security updates for several components, including Visual Studio 2022, ASP.NET Core 2.3, 8.0, and 9.0. Updates are likewise available for the Microsoft.AspNetCore.Server.Kestrel.Core package for versions of ASP.NET Core 2.x.
QNAP emphasizes the importance of these updates to safeguard against potential exploits targeting this high-severity vulnerability in the Kestrel server utilized by ASP.NET Core.
