cbcvebase.
CVE-2025-13315
published 2025-11-19

CVE-2025-13315: Twonky Server 8.5.2 on Linux and Windows is vulnerable to an access control flaw. An unauthenticated attacker can bypass web service API authentication…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
31.94%
98.1th percentile
Twonky Server 8.5.2 on Linux and Windows is vulnerable to an access control flaw. An unauthenticated attacker can bypass web service API authentication controls to leak a log file and read the administrator's username and encrypted password.

Affected

1 ranges
VendorProductVersion rangeFixed in
lynxtechnologytwonky_server

Detection & IOCsextracted from sources · hover to see the quote

url/nmc/rpc/log_getfile
yara
status_code == 200 AND contains_all(body,"server_main_impl","LOG_SYSTEM:","upnp_ini_file")
sigma
regex: accessuser =([  a-zA-Z0-9]+)
sigma
regex: accesspwd =([ :a-zA-Z0-9]+)
  • Unauthenticated HTTP GET to /nmc/rpc/log_getfile is the exploit request; a 200 response containing 'server_main_impl', 'LOG_SYSTEM:', and 'upnp_ini_file' confirms successful log leak.
  • The Metasploit auxiliary module 'auxiliary/gather/twonky_authbypass_logleak' automates exploitation; presence of this module in use indicates active targeting of CVE-2025-13315.
  • ZoomEye/Shodan query 'app="Twonky Server"' can be used to identify internet-exposed instances susceptible to this vulnerability.
  • ·Encrypted passwords retrieved via the log leak are decrypted using hardcoded keys (CVE-2025-13316); the Metasploit module performs this decryption automatically, meaning credential exposure is full plaintext, not just ciphertext.
  • ·No vendor patch is available; the recommended mitigation is network segmentation or restricting access to the Twonky Server web service API.
  • ·The vulnerability affects both Linux and Windows deployments of Twonky Server 8.5.2; detection logic should be applied regardless of host OS.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.