QNAP warns of critical flaw in its Windows backup software, so update now

News
By published

Recently fixed ASP.NET Core bug affects QNAP NetBak PC Agent

Hands on a laptop with overlaid logos representing network security
(Image credit: Thapana Onphalai via Getty Images)
  • CVE-2025-55315 allows HTTP request smuggling in ASP.NET Core (severity 9.9/10)
  • QNAP urges NetBak PC Agent users to patch affected ASP.NET Core components
  • Updates available via reinstall or manual .NET 8.0 Runtime installation

QNAP is warning its customers to patch a critical ASP.NET Core vulnerability, and thus protect their NetBak PC Agent installations.

In a security advisory, the NAS device maker said Microsoft recently disclosed a bug affecting ASP.NET Core that “could allow an attacker to bypass security controls through HTTP Request Smuggling.”

What QNAP is referring to is an “HTTP request smuggling bug”, a vulnerability tracked as CVE-2025-55315, with a severity score of 9.9/10 (critical). It affects the Kestrel ASP.NET Core web server and allows unauthenticated attackers to “smuggle” secondary HTTP requests within the original request - and was described as the “highest ever” vulnerability plaguing its ASP.NET Core product.

Two patching methods

“If successfully exploited, an authenticated attacker could send specially crafted HTTP requests to the web server, resulting in unauthorized access to sensitive data, modification of server files, or limited denial-of-service conditions,” QNAP explained.

The company further stated that since NetBak PC Agent install and depend on Microsoft ASP.NET Core components during setup, they could be affected by this issue.

“QNAP strongly recommends users ensure their Windows systems have the latest Microsoft ASP.NET Core updates installed,” the advisory reads.

There are two methods to update ASP.NET Core, QNAP further explains. The first one is to reinstall NetBak PC Agent (by first uninstalling the existing solution, then downloading and installing the latest version), while the second one is to manually update ASP.NET Core. This can be done by visiting the .NET 8.0 download page, and then downloading and installing the latest ASP.NET Core Runtime (Hosting Bundle).

“As of October 2025, the latest version is 8.0.21,” the company confirmed. The last step is to either restart the application or the entire system.

Microsoft has also released security updates for Microsoft Visual Studio 2022, ASP.NET Core 2.3, ASP.NET Core 8.0, and ASP.NET Core 9.0, as well as the Microsoft.AspNetCore.Server.Kestrel.Core package for ASP.NET Core 2.x apps.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.