- CVE-2025-55315 permits HTTP request smuggling in ASP.NET Core (severity 9.9/10)
- QNAP urges NetBak PC Agent customers to patch affected ASP.NET Core elements
- Updates accessible by reinstalling or manually putting in the .NET 8.0 Runtime
QNAP warns its prospects to patch a important ASP.NET Core vulnerability to guard their NetBak PC Agent installations.
In a safety advisory, the NAS system maker stated that Microsoft just lately disclosed a bug affecting ASP.NET Core that “may permit an attacker to bypass safety controls by means of HTTP request smuggling.”
What QNAP is referring to is an “HTTP request smuggling bug,” a vulnerability tracked as CVE-2025-55315, with a severity rating of 9.9/10 (important). It impacts the Kestrel ASP.NET Core internet server and permits unauthenticated attackers to “smuggle” secondary HTTP requests into the unique request, and was described because the “highest ever” vulnerability affecting its ASP.NET Core product.
Two patching strategies
“If efficiently exploited, an authenticated attacker may ship specifically crafted HTTP requests to the online server, leading to unauthorized entry to delicate information, modification of server information, or restricted denial of service situations,” QNAP defined.
The firm additional said that since NetBak PC Agent is put in and is dependent upon Microsoft ASP.NET Core elements throughout set up, they might be affected by this challenge.
“QNAP strongly recommends customers make sure that their Windows methods have the newest Microsoft ASP.NET Core updates put in,” the advisory reads.
There are two strategies to replace ASP.NET Core, QNAP explains in additional element. The first is to reinstall NetBak PC Agent (first by uninstalling the present resolution after which downloading and putting in the newest model), whereas the second is to manually replace ASP.NET Core. This may be carried out by visiting the .NET 8.0 obtain web page after which downloading and putting in the newest model of ASP.NET Core Runtime (internet hosting bundle).
“As of October 2025, the newest model is 8.0.21,” the corporate confirmed. The final step is to restart the applying or all the system.
Microsoft additionally launched safety updates for Microsoft Visual Studio 2022, ASP.NET Core 2.3, ASP.NET Core 8.0, and ASP.NET Core 9.0, in addition to the Microsoft.AspNetCore.Server.Kestrel.Core bundle for ASP.NET Core 2.x functions.
Through beepcomputer
