SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

QNAP NetBak PC Agent Affected by Recent ASP.NET Core Vulnerability

The critical-severity flaw allows attackers to smuggle HTTP requests and access sensitive data, modify server files, or cause DoS conditions.

Taiwan-based QNAP Systems says its NetBak PC Agent is potentially affected by a recently disclosed ASP.NET Core vulnerability that has the “highest ever” CVSS score for an issue in the open source web development framework.

Tracked as CVE-2025-55315 (CVSS score of 9.9), the bug is an HTTP request smuggling defect that allows attackers to bypass security controls over the network, or hijack other users’ credentials.

Microsoft patched the vulnerability on October 2025 Patch Tuesday, warning that it could be exploited to leak sensitive information, tamper with file contents, or force a crash within the server.

The actual impact from the bug, .NET security program manager Barry Dorrans said, is based on how an application was built, and could allow attackers to log in as another user, bypass CSRF checks, make internal requests, and perform injection attacks.

According to QNAP, its NetBak PC Agent installs and depends on ASP.NET Core components during setup, which could result in a vulnerable version of the framework running on systems that have not been updated.

NetBak PC Agent is a Windows application that allows users to back up computer and server contents to a QNAP NAS system, and enables them to restore systems when needed.

Advertisement. Scroll to continue reading.

Given the essential role the application plays in backup/restoration operations, successful exploitation of CVE-2025-55315 could have dire consequences, potentially allowing attackers to access backup data.

QNAP urges users to immediately apply the patches for ASP.NET Core, either by reinstalling the agent, or by manually downloading and installing the latest framework version.

The company makes no mention of the flaw being exploited against NetBak PC Agent users, but vulnerabilities affecting QNAP products have been popular targets for threat actors.

Related: Year-Old WordPress Plugin Flaws Exploited to Hack Websites

Related: Chrome Zero-Day Exploitation Linked to Hacking Team Spyware

Related: Exploitation of Critical Adobe Commerce Flaw Puts Many eCommerce Sites at Risk

Related: BIND Updates Address High-Severity Cache Poisoning Flaws

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Webinar: A Step-by-Step Approach to AI Governance
April 28, 2026

With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment.

Register

Virtual Event: Threat Detection and Incident Response Summit
May 20, 2026

Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization.

Register

People on the Move

Neill Feather has been named Chief Executive Officer at Point Wild.

Oasis Security has appointed Michael DeCesare as President.

Sterling Wilson has joined IGEL as Global Field CTO, Business Continuity and Disaster Recovery.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.