QNAP warns users to patch critical ASP.NET flaw

BleepingComputer reports that QNAP has urged users to patch a critical ASP.NET Core vulnerability tracked as CVE-2025-55315, which also affects its NetBak PC Agent software for Windows. The flaw, found in Microsoft's Kestrel web server, allows attackers with limited privileges to hijack credentials, bypass security controls, or launch injection attacks via HTTP request smuggling, according to Microsoft's .NET security manager Barry Dorrans. QNAP warned that NetBak PC Agent installs vulnerable ASP.NET Core components and advised users to update their systems or reinstall the software to obtain the latest runtime bundle from Microsoft's .NET 8.0 site. The vulnerability, rated with the highest-ever severity for an ASP.NET Core flaw, could let attackers gain unauthorized access to data, alter files, or cause limited denial-of-service. QNAP added that affected users should act immediately to prevent exploitation. Earlier this year, the company also patched several rsync flaws in its HBS 3 Hybrid Backup Sync that exposed NAS devices to remote code execution.