On October 24, 2025, QNAP issued a security advisory indicating that its NetBak PC Agent software for Windows is affected by CVE-2025-55315, a critical vulnerability in Microsoft ASP.NET Core.
QNAP categorized the issue as “Important” and recommended updating the ASP.NET Core runtime to version 8.0.21 or later.
ASP.NET Core is a cross-platform framework used to build web applications and Application Programming Interfaces (APIs). The Kestrel web server is its default HTTP server and is commonly deployed behind reverse proxies.
ASP.NET Core is widely used in enterprise web applications, cloud services, microservices, Internet of Things (IoT) platforms, and open-source projects. Some .NET-based systems, enterprise platforms, and cloud services built on ASP.NET Core may be affected by CVE-2025-55315.
An application or service that uses ASP.NET Core could be vulnerable if:
Microsoft disclosed CVE-2025-55315 on October 14, 2025, and released patched versions of ASP.NET Core 2.3.6, 8.0.21, and 9.0.10. Exploitation does not require user interaction and can be performed over the network by a threat actor with low privileges.
It allows the bypassing of authentication and input validation mechanisms, potentially exposing sensitive data or enabling unauthorized access. Microsoft assigned CVE-2025-55315 a Common Vulnerability Scoring System (CVSS) v3.1 score of 9.9. The critical rating is based on the worst-case impact involving a security feature bypass and scope change.
Microsoft has not observed exploitation in the wild as of October 27, 2025. However, the flaw is longstanding and affects all supported ASP.NET Core versions, including those running on the Windows-only .NET Framework. Evaluating deployment architecture and patching runtime dependencies are recommended to reduce risk.
Organizations using ASP.NET Core are advised to update to the patched versions 2.3.6, 8.0.21, or 9.0.10. Microsoft recommends reviewing deployment models to determine whether the runtime is bundled with the application (self-contained) or provided by the host environment (framework-dependent), as this affects how updates are applied.
Detailed guidance is available in the Microsoft advisory and the ASP.NET Core GitHub security bulletin.
QNAP recommends reinstalling the software or manually updating the ASP.NET Core Hosting Bundle to a secure version. In addition to patching, organizations are encouraged to audit reverse proxy configurations to ensure they normalize or reject ambiguous HTTP requests, which can reduce exposure to request smuggling. It’s also recommended to monitor for anomalous traffic patterns and review application logic that relies on HTTP headers for authentication or access control.