CVE-2025-13315
published 2025-11-19CVE-2025-13315: Twonky Server 8.5.2 on Linux and Windows is vulnerable to an access control flaw. An unauthenticated attacker can bypass web service API authentication…
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
31.94%
98.1th percentile
Twonky Server 8.5.2 on Linux and Windows is vulnerable to an access control flaw. An unauthenticated attacker can bypass web service API authentication controls to leak a log file and read the administrator's username and encrypted password.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lynxtechnology | twonky_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
status_code == 200 AND contains_all(body,"server_main_impl","LOG_SYSTEM:","upnp_ini_file")
sigma↗
regex: accessuser =([ a-zA-Z0-9]+)
sigma↗
regex: accesspwd =([ :a-zA-Z0-9]+)
- →Unauthenticated HTTP GET to /nmc/rpc/log_getfile is the exploit request; a 200 response containing 'server_main_impl', 'LOG_SYSTEM:', and 'upnp_ini_file' confirms successful log leak. ↗
- →The Metasploit auxiliary module 'auxiliary/gather/twonky_authbypass_logleak' automates exploitation; presence of this module in use indicates active targeting of CVE-2025-13315. ↗
- →ZoomEye/Shodan query 'app="Twonky Server"' can be used to identify internet-exposed instances susceptible to this vulnerability. ↗
- ·Encrypted passwords retrieved via the log leak are decrypted using hardcoded keys (CVE-2025-13316); the Metasploit module performs this decryption automatically, meaning credential exposure is full plaintext, not just ciphertext. ↗
- ·No vendor patch is available; the recommended mitigation is network segmentation or restricting access to the Twonky Server web service API. ↗
- ·The vulnerability affects both Linux and Windows deployments of Twonky Server 8.5.2; detection logic should be applied regardless of host OS. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x96r-v3vc-578h: Twonky Server 8
ghsa_unreviewed·2025-11-19
CVE-2025-13315 [CRITICAL] CWE-420 GHSA-x96r-v3vc-578h: Twonky Server 8
Twonky Server 8.5.2 on Linux and Windows is vulnerable to an access control flaw. An unauthenticated attacker can bypass web service API authentication controls to leak a log file and read the administrator's username and encrypted password.
VulnCheck
lynxtechnology twonky_server Unprotected Alternate Channel
vulncheck·2025·CVSS 9.3
CVE-2025-13315 [CRITICAL] lynxtechnology twonky_server Unprotected Alternate Channel
lynxtechnology twonky_server Unprotected Alternate Channel
Twonky Server 8.5.2 on Linux and Windows is vulnerable to an access control flaw. An unauthenticated attacker can bypass web service API authentication controls to leak a log file and read the administrator's username and encrypted password.
Affected: lynxtechnology twonky_server
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2025-13315
Exploit PoC: https://vulncheck.com/xdb/8863a26283f7
No detection rules found.
Metasploit
Twonky Server Log Leak Authentication Bypass
metasploit·CVSS 9.3
CVE-2025-13315 [CRITICAL] Twonky Server Log Leak Authentication Bypass
Twonky Server Log Leak Authentication Bypass
This module leverages an authentication bypass in Twonky Server 8.5.2. By exploiting an authorization flaw to access a privileged web API endpoint and leak application logs, encrypted administrator credentials are leaked (CVE-2025-13315). The exploit will then decrypt these credentials using hardcoded keys (CVE-2025-13316) and login as the administrator. Expected module output is a username and plain text password for the administrator account.
Nuclei
Twonky Server 8.5.2 on Linux and Windows - Log File Exposure
nuclei·CVSS 9.3
CVE-2025-13315 [CRITICAL] Twonky Server 8.5.2 on Linux and Windows - Log File Exposure
Twonky Server 8.5.2 on Linux and Windows - Log File Exposure
Twonky Server 8.5.2 contains a broken access control vulnerability caused by bypassing web service API authentication, letting unauthenticated attackers read log files with administrator credentials, exploit requires no authentication
Template:
id: CVE-2025-13315
info:
name: Twonky Server 8.5.2 on Linux and Windows - Log File Exposure
author: pussycat0x
severity: critical
description: |
Twonky Server 8.5.2 contains a broken access control vulnerability caused by bypassing web service API authentication, letting unauthenticated attackers read log files with administrator credentials, exploit requires no authentication
remediation: |
Restrict access to the Twonky Server web service API or implement network segmentation as the v
2025-11-19
Published
Exploited in the wild