CVE-2025-13316
HIGHCVSS Vector
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2Description
Twonky Server 8.5.2 on Linux and Windows is vulnerable to a cryptographic flaw, use of hard-coded cryptographic keys. An attacker with knowledge of the encrypted administrator password can decrypt the value with static keys to view the plain text password and gain administrator-level access to Twonky Server.
Analysis
Twonky Server 8.5.2 uses hard-coded cryptographic keys for encrypting the administrator password. Combined with the credential exposure vulnerability (CVE-2025-13315), this allows attackers to decrypt the admin password from the leaked log file and gain full administrative control of the media server.
Technical Context
The Twonky Server stores the administrator password encrypted with a static, hard-coded key embedded in the binary. Since the key is identical across all installations, any attacker who obtains the encrypted password (via CVE-2025-13315 log file disclosure or other means) can decrypt it to plaintext using the known key.
Affected Products
['Twonky Server 8.5.2 (Linux)', 'Twonky Server 8.5.2 (Windows)', 'NAS devices with bundled Twonky Server']
Remediation
Contact the device vendor for a Twonky Server update. Change the admin password after any fix. Restrict Twonky Server access to trusted devices. Consider disabling Twonky Server if DLNA functionality is not required.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today