Critical .NET Flaw (CVE-2025-55315) in QNAP: NAS Backup Utility Vulnerable to Credential Theft

Earlier, Microsoft released a security update to address a critical vulnerability in ASP.NET, identified as CVE-2025-55315 with a CVSS score of 9.8. At the time, the .NET team noted that the actual severity might not be as high in all cases, emphasizing that the real impact depends largely on how downstream developers employ ASP.NET Core in their software projects.

In essence, attackers exploiting this flaw could intercept sensitive user credentials or bypass front-end security controls through HTTP request smuggling. For applications handling sensitive data, the potential damage is considerable—making it imperative that users promptly update their .NET components.

Recently, QNAP, the well-known NAS manufacturer, issued a security advisory urging its users to apply the patch, as its NetBak PC Agent—a data backup utility for QNAP NAS devices—also relies on ASP.NET Core and is therefore vulnerable to this flaw.

Even users who have not directly installed such components may still be exposed, as .NET dependencies are often bundled with other software. Hence, installing the latest updates is crucial, particularly within enterprise environments, where unpatched systems could leave significant security gaps.

QNAP strongly recommends that all users ensure their Windows systems have the latest Microsoft ASP.NET Core updates installed. Additionally, QNAP users should uninstall and reinstall the NetBak PC Agent to obtain the most recent and secure version of the framework.

According to technical details, an authenticated attacker with limited privileges could send specially crafted HTTP requests to the web server, potentially leading to unauthorized access to sensitive data, modification of server files, or even a limited denial-of-service (DoS) attack.

You can update ASP.NET Core using one of the following methods:

Method 1: Reinstall NetBak PC Agent

1. Uninstall the existing NetBak PC Agent.
   Go to “Settings > Apps > Installed apps”, locate NetBak PC Agent, and uninstall it.
2. Download the latest version.
   Go to NetBak PC Agent to download the latest installer.
3. Install NetBak PC Agent.
   The installer will automatically download and install the latest ASP.NET Core runtime components.

Method 2: Manually Update ASP.NET Core

1. Visit the .NET 8.0 download page.
2. Download and install the latest ASP.NET Core Runtime (Hosting Bundle).
   Note: As of October 2025, the latest version is 8.0.21.
3. Restart the application or system after installation.

Related Posts:

• QNAP Fixes High-Severity Flaws: NetBak Replicator RCE and SQL Injection in Qsync Central
• CVE-2025-55315: Critical 9.9/10 Flaw in ASP.NET Core Enables Unauthenticated Attack
• Microsoft releases January Patch Tuesday to fix 56 security issues
• Publicly Disclosed ASP.NET Machine Keys Used in Code Injection Attacks
• ConnectWise Patches Critical ViewState RCE Vulnerability in ScreenConnect