Critical ASP.NET Core flaw affects QNAP NetBak PC Agent and Enterprise web applications
Take action: If you're using QNAP NetBak PC Agent backup software, immediately reinstall the latest version from QNAP's website - this will automatically update the vulnerable ASP.NET Core components to fix CVE-2025-55315. Alternatively, manually download and install the latest ASP.NET Core Runtime Hosting Bundle (version 8.0.21 or newer) from Microsoft's .NET download page and restart your system.
Learn More
QNAP Networks issued a security advisory warning that its NetBak PC Agent backup software for Windows systems is vulnerable to a critical security vulnerability affecting ASP.NET Core due to its dependency on ASP.NET Core runtime components.
The vulnerability is tracked as CVE-2025-55315 (CVSS score 9.9), is HTTP request smuggling weakness in the Kestrel web server component that could allow authenticated attackers to bypass security features, hijack user credentials, and gain unauthorized access to sensitive systems. The flaw has significant implications beyond Microsoft's ecosystem, as
Microsoft published the initial security advisory for CVE-2025-55315 on October 14, 2025. Affected versions span are currently supported ASP.NET Core releases and include older versions still in use across enterprise environments. Specifically, the vulnerability impacts ASP.NET Core 6.0.0 through 6.0.36, ASP.NET Core 8.0.0 through 8.0.20, ASP.NET Core 9.0.0 through 9.0.9, ASP.NET Core 10.0.0-rc.1.25451.107 and earlier release candidates, and any application consuming the NuGet package Microsoft.AspNetCore.Server.Kestrel.Core version 2.3.0 or earlier. This broad version range means that organizations running web applications, APIs, microservices, or any other ASP.NET Core-based solutions could be at risk if they have not applied recent updates.
Microsoft has released patches addressing CVE-2025-55315 across all supported ASP.NET Core versions. Organizations should update to ASP.NET Core 6.0.37 or later for version 6 applications, ASP.NET Core 8.0.21 or later for version 8 applications, ASP.NET Core 9.0.10 or later for version 9 applications, ASP.NET Core 10.0.0-rc.2.25502.107 or later for version 10 preview applications, and Microsoft.AspNetCore.Server.Kestrel.Core version 2.3.6 for applications using the standalone Kestrel package.
QNAP explains that NetBak PC Agent installs and depends on Microsoft ASP.NET Core components during setup, meaning computers running the backup software may contain vulnerable ASP.NET Core versions if not updated. The company characterized the severity as "Important" and advised all users to ensure their Windows systems have the latest Microsoft ASP.NET Core updates installed.
QNAP suggests two remediation methods for NetBak PC Agent users.
- The first method involves reinstalling NetBak PC Agent by uninstalling the existing installation through Windows Settings, downloading the latest version from QNAP's website, and installing it, which automatically downloads and installs the latest ASP.NET Core runtime components.
- The second method allows manual ASP.NET Core updates by visiting the .NET 8.0 download page, downloading and installing the latest ASP.NET Core Runtime Hosting Bundle (version 8.0.21 as of October 2025), and restarting the application or system afterward. QNAP emphasized that successful exploitation could result in unauthorized access to sensitive data, modification of server files, or limited denial-of-service conditions affecting backup operations.
