QNAP warned clients to patch a important ASP.NET Core vulnerability that additionally impacts the corporate’s NetBak PC Agent, a Home windows utility for backing up information to a QNAP network-attached storage (NAS) gadget.
Tracked as CVE-2025-55315, this security bypass flaw was discovered within the Kestrel ASP.NET Core internet server and allows attackers with low privileges to hijack different customers’ credentials or bypass front-end security controls through HTTP request smuggling.
“NetBak PC Agent installs and is dependent upon Microsoft ASP.NET Core parts throughout setup. Due to this fact, computer systems working NetBak PC Agent could comprise an affected model of ASP.NET Core if the system has not been up to date,” QNAP mentioned.
“QNAP strongly recommends customers guarantee their Home windows techniques have the newest Microsoft ASP.NET Core updates put in.”
To safe their techniques in opposition to potential assaults, QNAP customers are suggested to both reinstall the NetBak PC Agent app to get the newest ASP.NET Core runtime parts or manually replace ASP.NET Core on their PCs by downloading and putting in the newest ASP.NET Core Runtime (Internet hosting Bundle) from the .NET 8.0 obtain web page.
As .NET security technical program supervisor Barry Dorrans defined two weeks in the past, when Microsoft patched this vulnerability (which was flagged with the “highest ever” severity score obtained by an ASP.NET Core security flaw), the impression of CVE-2025-55315 assaults is dependent upon the focused ASP.NET utility.
Profitable exploitation might enable the attackers to log in as one other person (for privilege escalation), bypass cross-site request forgery (CSRF) checks, or carry out injection assaults.
“If efficiently exploited, an authenticated attacker might ship specifically crafted HTTP requests to the net server, leading to unauthorized entry to delicate information, modification of server recordsdata, or restricted denial-of-service circumstances,” QNAP added.
In January, QNAP additionally launched security updates to patch half a dozen rsync vulnerabilities in its HBS 3 Hybrid Backup Sync 25.1.x, the corporate’s information backup and catastrophe restoration resolution, that might enable distant attackers to execute maliciously crafted code on unpatched Community Connected Storage (NAS) gadgets.
46% of environments had passwords cracked, almost doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and information exfiltration traits.
