QNAP warned that a critical ASP.NET Core vulnerability also affects its NetBak PC Agent, a Windows utility used to back up data to QNAP network-attached storage devices. The issue is tracked as CVE-2025-55315.
The flaw is a security bypass in the Kestrel ASP.NET Core web server that can allow attackers with low privileges to hijack other users’ credentials or to bypass front-end security controls via HTTP request smuggling, QNAP said.
QNAP noted that NetBak PC Agent installs and depends on Microsoft ASP.NET Core components during setup, so Windows computers running the agent may contain an affected version of ASP.NET Core if they have not been updated. The company advised customers to ensure their systems have the latest Microsoft ASP.NET Core updates.
To secure affected machines, QNAP recommended either reinstalling the NetBak PC Agent to obtain updated runtime components or manually updating ASP.NET Core by downloading and installing the latest ASP.NET Core Runtime (Hosting Bundle) from the .NET 8.0 download page.
Microsoft has issued a patch for the vulnerability. Security guidance from Microsoft staff noted that the impact of successful exploitation depends on the targeted ASP.NET application and could include logging in as another user, bypassing cross-site request forgery checks, or injection attacks; QNAP said attackers might also gain unauthorized access to sensitive data, modify server files, or cause limited denial-of-service conditions if exploitation succeeds.
In January, QNAP released updates addressing several rsync vulnerabilities in its HBS 3 Hybrid Backup Sync 25.1.x product that could allow remote attackers to execute maliciously crafted code on unpatched NAS devices, and the company reiterated that users should apply available updates promptly.