Taiwan-based QNAP Systems says its NetBak PC Agent is potentially affected by a recently disclosed ASP.NET Core vulnerability that has the “highest ever” CVSS score for an issue in the open source web development framework.
Tracked as CVE-2025-55315 (CVSS score of 9.9), the bug is an HTTP request smuggling defect that allows attackers to bypass security controls over the network, or hijack other users’ credentials.
Microsoft patched the vulnerability on October 2025 Patch Tuesday, warning that it could be exploited to leak sensitive information, tamper with file contents, or force a crash within the server.
The actual impact from the bug, .NET security program manager Barry Dorrans said, is based on how an application was built, and could allow attackers to log in as another user, bypass CSRF checks, make internal requests, and perform injection attacks.
According to QNAP, its NetBak PC Agent installs and depends on ASP.NET Core components during setup, which could result in a vulnerable version of the framework running on systems that have not been updated.
NetBak PC Agent is a Windows application that allows users to back up computer and server contents to a QNAP NAS system, and enables them to restore systems when needed.
Given the essential role the application plays in backup/restoration operations, successful exploitation of CVE-2025-55315 could have dire consequences, potentially allowing attackers to access backup data.
QNAP urges users to immediately apply the patches for ASP.NET Core, either by reinstalling the agent, or by manually downloading and installing the latest framework version.
The company makes no mention of the flaw being exploited against NetBak PC Agent users, but vulnerabilities affecting QNAP products have been popular targets for threat actors.
Related: Year-Old WordPress Plugin Flaws Exploited to Hack Websites
Related: Chrome Zero-Day Exploitation Linked to Hacking Team Spyware
Related: Exploitation of Critical Adobe Commerce Flaw Puts Many eCommerce Sites at Risk
Related: BIND Updates Address High-Severity Cache Poisoning Flaws
