Twonky Server
CVE-2025-13315
CRITICAL
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Twonky Server 8.5.2 on Linux and Windows is vulnerable to an access control flaw. An unauthenticated attacker can bypass web service API authentication controls to leak a log file and read the administrator's username and encrypted password.
AnalysisAI
Twonky Server 8.5.2 on Linux and Windows allows unauthenticated access to the admin log file through a web service API bypass. The exposed log contains the administrator's username and encrypted password, which can be decrypted using hard-coded keys (CVE-2025-13316) to gain full administrative control.
Technical ContextAI
The Twonky Server web interface exposes API endpoints that should require authentication. An access control flaw allows unauthenticated users to retrieve the server's log file, which contains the administrator's username and an encrypted password. Combined with CVE-2025-13316 (hard-coded encryption keys), the password can be trivially decrypted, providing full administrative access to the media server.
RemediationAI
Check with the device vendor for a Twonky Server update. Ensure Twonky Server is not exposed to the internet. Change the admin password after applying any fix. Restrict access to the Twonky web interface via firewall rules limiting it to trusted devices on the local network.
More in Twonky Server
View allTwonky Server 8.5.2 uses hard-coded cryptographic keys for encrypting the administrator password. Combined with the cred
Directory traversal vulnerability in Twonky Server 7.0.11 through 8.5 allows remote attackers to share the contents of a
Twonky Server before 8.5.1 has XSS via a modified "language" parameter in the Language section. Rated medium severity (C
Twonky Server before 8.5.1 has XSS via a folder name on the Shared Folders screen. Rated medium severity (CVSS 6.1), thi
Cross-site scripting (XSS) vulnerability in Twonky Server 7.0.11 through 8.5 allows remote attackers to inject arbitrary
Same weakness CWE-420 – Unprotected Alternate Channel
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today