CVE-2025-13315
CRITICALCVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Description
Twonky Server 8.5.2 on Linux and Windows is vulnerable to an access control flaw. An unauthenticated attacker can bypass web service API authentication controls to leak a log file and read the administrator's username and encrypted password.
Analysis
Twonky Server 8.5.2 on Linux and Windows allows unauthenticated access to the admin log file through a web service API bypass. The exposed log contains the administrator's username and encrypted password, which can be decrypted using hard-coded keys (CVE-2025-13316) to gain full administrative control.
Technical Context
The Twonky Server web interface exposes API endpoints that should require authentication. An access control flaw allows unauthenticated users to retrieve the server's log file, which contains the administrator's username and an encrypted password. Combined with CVE-2025-13316 (hard-coded encryption keys), the password can be trivially decrypted, providing full administrative access to the media server.
Affected Products
['Twonky Server 8.5.2 (Linux)', 'Twonky Server 8.5.2 (Windows)', 'NAS devices bundling Twonky Server']
Remediation
Check with the device vendor for a Twonky Server update. Ensure Twonky Server is not exposed to the internet. Change the admin password after applying any fix. Restrict access to the Twonky web interface via firewall rules limiting it to trusted devices on the local network.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today