Which versions of Windows are affected by CVE-2025-13315?

Organizations using Twonky Server 8.5.2 on Linux and Windows face critical risk from CVE-2025-13315 rated CVSS 9.3.

Is there a public PoC exploit available for CVE-2025-13315?

Yes, a public proof-of-concept exploit is available for CVE-2025-13315. Prioritise patching immediately. EPSS: 82.4%.

How to fix or mitigate CVE-2025-13315?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Monitor vendor channels for patch availability.

Windows CVE-2025-13315

Q: What is the CVSS score of CVE-2025-13315?

CVE-2025-13315 has a CVSS 4.0 base score of 9.3 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 82.4%.

CRITICAL

Unprotected Alternate Channel (CWE-420)

2025-11-19 cve@rapid7.com

Windows Information Disclosure Microsoft Twonky Server

9.3

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:23 vuln.today

PoC Detected

Dec 02, 2025 - 16:42 vuln.today

Public exploit code

CVE Published

Nov 19, 2025 - 18:15 nvd

CRITICAL 9.3

DescriptionNVD

Twonky Server 8.5.2 on Linux and Windows is vulnerable to an access control flaw. An unauthenticated attacker can bypass web service API authentication controls to leak a log file and read the administrator's username and encrypted password.

AnalysisAI

Twonky Server 8.5.2 on Linux and Windows allows unauthenticated access to the admin log file through a web service API bypass. The exposed log contains the administrator's username and encrypted password, which can be decrypted using hard-coded keys (CVE-2025-13316) to gain full administrative control.

Technical ContextAI

The Twonky Server web interface exposes API endpoints that should require authentication. An access control flaw allows unauthenticated users to retrieve the server's log file, which contains the administrator's username and an encrypted password. Combined with CVE-2025-13316 (hard-coded encryption keys), the password can be trivially decrypted, providing full administrative access to the media server.

RemediationAI

Check with the device vendor for a Twonky Server update. Ensure Twonky Server is not exposed to the internet. Change the admin password after applying any fix. Restrict access to the Twonky web interface via firewall rules limiting it to trusted devices on the local network.