Critical ASP.NET Core Vulnerability (CVE-2025-55315) Exposes QNAP NetBak PC Agent to Credential Theft and Security Bypass
QNAP has issued an urgent warning regarding a critical vulnerability, CVE-2025-55315, affecting its NetBak PC Agent backup utility for Windows. The flaw, rooted in Microsoft’s ASP.NET Core framework and specifically the Kestrel server, enables attackers to exploit HTTP request smuggling techniques to bypass security controls, hijack credentials, and potentially access or modify sensitive backup data. The vulnerability, which carries a CVSS score of up to 9.9, requires attackers to have valid credentials but can result in unauthorized access, file modification, or limited denial-of-service conditions if exploited. QNAP’s advisory highlights that the NetBak PC Agent installs and relies on the vulnerable ASP.NET Core components, making any unpatched system susceptible to attack.
Security researchers and QNAP emphasize the importance of immediate remediation, recommending users either reinstall the NetBak PC Agent to ensure the latest ASP.NET Core runtime is deployed or manually update the ASP.NET Core components on affected systems. The vulnerability’s impact is heightened by the fact that backup servers, which often store critical data, are at risk if running outdated ASP.NET Core versions. QNAP strongly urges all users to verify their systems are up to date to prevent exploitation and safeguard backup integrity and data availability.
Timeline
Oct 28, 2025
QNAP and Microsoft issue advisories and urge immediate updates
QNAP and Microsoft published advisories warning users about CVE-2025-55315 and recommending immediate remediation. Users were told to reinstall NetBak PC Agent or manually update to the latest .NET 8.0 runtime bundle to address the issue.
Oct 28, 2025
Critical flaw CVE-2025-55315 disclosed in QNAP NetBak PC Agent
A critical vulnerability, CVE-2025-55315, was disclosed in the ASP.NET Core/Kestrel component used by QNAP's NetBak PC Agent for Windows. The flaw was rated CVSS 9.9 and could allow authenticated attackers to conduct HTTP request smuggling, bypass security controls, steal credentials, access sensitive data, modify files, or cause denial of service.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Sources
Related Stories
QNAP Patches High-Severity Vulnerabilities in NetBak Replicator and Qsync Central
QNAP has addressed two high-severity security vulnerabilities affecting its NetBak Replicator and Qsync Central products. The first vulnerability, tracked as CVE-2025-53595, is an SQL injection flaw in Qsync Central. This vulnerability allows a remote attacker with a user account to execute unauthorized code or commands on the affected system. QNAP has released a fix for this issue in Qsync Central version 5.0.0.2 and later, mitigating the risk of exploitation. The second vulnerability, identified as CVE-2025-57714, impacts NetBak Replicator and is classified as an unquoted search path or element vulnerability. This flaw enables a local attacker with a user account to execute unauthorized code or commands, potentially leading to privilege escalation or further compromise of the system. The vulnerability in NetBak Replicator has been resolved in version 4.5.15.0807 and later. Both vulnerabilities have been assigned high CVSS scores, with the SQL injection in Qsync Central rated at 8.6 and the NetBak Replicator flaw at 8.5, reflecting their significant security impact. QNAP's security advisories recommend that users update to the latest versions of the affected products to ensure protection against these threats. The SQL injection vulnerability in Qsync Central is remotely exploitable, increasing its risk profile, while the NetBak Replicator issue requires local access. No specific details about exploitation in the wild have been reported, but the technical nature of the flaws underscores the importance of prompt patching. The vulnerabilities were reported to QNAP by security researchers and disclosed through official channels, including CVE databases and QNAP's own security team. The advisories do not list the exact affected product versions prior to the fixed releases, but users are urged to verify their software versions and apply updates as soon as possible. QNAP's response demonstrates a commitment to addressing security issues in a timely manner, with coordinated disclosure and clear communication to customers. Organizations using QNAP NetBak Replicator or Qsync Central should review their deployment, assess potential exposure, and implement the recommended updates. The vulnerabilities highlight the ongoing risk of both remote and local exploitation vectors in widely used backup and synchronization software. Security teams are advised to monitor for any signs of compromise and to follow best practices for user account management and software maintenance. The prompt release of patches and public disclosure of these vulnerabilities contribute to the overall security posture of QNAP's user base.
1 months ago
QNAP Patches Multiple Vulnerabilities in License Center and NAS Tools
QNAP has addressed several security vulnerabilities affecting its License Center application and other NAS tools, which could allow attackers to access sensitive information or disrupt services on affected devices. The vulnerabilities, identified as CVE-2025-52871 (out-of-bounds read) and CVE-2025-53597 (buffer overflow), require an attacker to have access to a valid or administrator account, making credential theft or weak passwords a significant risk factor. QNAP has released patches in License Center 2.0.36 and later, urging organizations and home users to update immediately, especially if their NAS devices are accessible from the internet or shared among multiple users. In addition to the License Center flaws, QNAP also patched high-severity SQL injection and path traversal vulnerabilities in its NAS products. These vulnerabilities could have allowed attackers to execute arbitrary code or access restricted files, further emphasizing the importance of timely updates. Users are advised to access the QTS or QuTS hero management interface and apply the latest security updates to mitigate these risks and protect sensitive data stored on QNAP devices.
1 months ago
Critical Request Smuggling Vulnerability in ASP.NET Core Kestrel Web Server
Microsoft has addressed a critical security vulnerability in the Kestrel web server component of ASP.NET Core, tracked as CVE-2025-55315, which received a CVSS severity score of 9.9—the highest ever assigned by Microsoft to a flaw in this framework. The vulnerability enables HTTP request smuggling, a technique where an attacker can embed a malicious request within a legitimate one, potentially bypassing authentication and other security controls. This flaw affects all currently supported versions of ASP.NET Core, including versions 8, 9, and 10, as well as the older ASP.NET Core 2.3 running on the Windows-only .NET Framework. According to Microsoft’s security advisory, the vulnerability allows authenticated attackers to exploit inconsistent HTTP request interpretation, leading to the bypass of security features over a network. Security program manager Barry Dorrans explained that a successful attack could allow an adversary to log in as a different user, circumvent cross-site request forgery (CSRF) protections, or perform injection attacks. The actual risk posed by this vulnerability is highly dependent on the specific application code and deployment configuration, with the most severe outcomes occurring in applications that do not properly validate or handle HTTP requests. Dorrans emphasized that while the vulnerability is serious, the likelihood of exploitation is reduced if applications are well-designed and if reverse proxies or gateways are used to filter out smuggled requests. The high CVSS score reflects the potential for a security feature bypass that changes the scope of access, rather than the likelihood of exploitation in all environments. Developers have sought clarification on what constitutes vulnerable application code, but Microsoft has indicated that any application performing authentication or access control based on HTTP requests could be at risk if not properly secured. Kestrel is widely used as the default web server for ASP.NET Core applications, both behind reverse proxies and as a direct-facing server, increasing the potential exposure. Microsoft’s patch addresses the underlying issue in Kestrel, and organizations are urged to apply updates promptly to mitigate the risk. The vulnerability highlights the importance of secure coding practices and the need for defense-in-depth measures, such as using reverse proxies to sanitize incoming requests. Security teams should review their ASP.NET Core deployments, especially those directly exposing Kestrel to the internet, to ensure they are not susceptible to request smuggling attacks. The incident underscores the evolving complexity of web application security and the critical role of timely patch management. Microsoft’s response demonstrates a commitment to transparency and rapid remediation for high-severity vulnerabilities in its ecosystem. Organizations leveraging ASP.NET Core should remain vigilant for further advisories and best practice recommendations from Microsoft and the broader security community.
1 months ago