- CVE-2025-55315 permits HTTP request smuggling in ASP.NET Core (severity 9.9/10)
- QNAP urges NetBak PC Agent customers to patch affected ASP.NET Core elements
- Updates obtainable through reinstall or guide .NET 8.0 Runtime set up
QNAP is warning its prospects to patch a crucial ASP.NET Core vulnerability, and thus shield their NetBak PC Agent installations.
In a safety advisory, the NAS machine maker mentioned Microsoft not too long ago disclosed a bug affecting ASP.NET Core that “might permit an attacker to bypass safety controls by way of HTTP Request Smuggling.”
What QNAP is referring to is an “HTTP request smuggling bug”, a vulnerability tracked as CVE-2025-55315, with a severity rating of 9.9/10 (crucial). It impacts the Kestrel ASP.NET Core internet server and permits unauthenticated attackers to “smuggle” secondary HTTP requests throughout the unique request – and was described because the “highest ever” vulnerability plaguing its ASP.NET Core product.
Two patching strategies
“If efficiently exploited, an authenticated attacker might ship specifically crafted HTTP requests to the online server, leading to unauthorized entry to delicate information, modification of server recordsdata, or restricted denial-of-service circumstances,” QNAP defined.
The corporate additional said that since NetBak PC Agent set up and rely upon Microsoft ASP.NET Core elements throughout setup, they might be affected by this subject.
“QNAP strongly recommends customers guarantee their Home windows techniques have the newest Microsoft ASP.NET Core updates put in,” the advisory reads.
There are two strategies to replace ASP.NET Core, QNAP additional explains. The primary one is to reinstall NetBak PC Agent (by first uninstalling the present answer, then downloading and putting in the newest model), whereas the second is to manually replace ASP.NET Core. This may be finished by visiting the .NET 8.0 obtain web page, after which downloading and putting in the newest ASP.NET Core Runtime (Internet hosting Bundle).
“As of October 2025, the newest model is 8.0.21,” the corporate confirmed. The final step is to both restart the appliance or the complete system.
Microsoft has additionally launched safety updates for Microsoft Visible Studio 2022, ASP.NET Core 2.3, ASP.NET Core 8.0, and ASP.NET Core 9.0, in addition to the Microsoft.AspNetCore.Server.Kestrel.Core bundle for ASP.NET Core 2.x apps.
Through BleepingComputer
The very best antivirus for all budgets
Observe TechRadar on Google Information and add us as a most popular supply to get our professional information, critiques, and opinion in your feeds. Ensure that to click on the Observe button!
And naturally it’s also possible to observe TechRadar on TikTok for information, critiques, unboxings in video type, and get common updates from us on WhatsApp too.
