Overview
CVE-2025-13315 is a critical access control vulnerability affecting Twonky Server version 8.5.2 on both Linux and Windows platforms. This flaw allows an unauthenticated attacker to bypass web service API authentication mechanisms, leading to the leakage of sensitive information, specifically the administrator’s username and encrypted password through access to a log file.
This vulnerability was published on 2025-11-19T18:15:47.843.
Technical Details
The vulnerability resides in the improper handling of authentication checks within the Twonky Server’s web service API. By crafting specific requests, an attacker can circumvent the intended authentication process and gain unauthorized access to the system’s log files. These log files inadvertently contain the administrator’s username and their password, albeit encrypted. However, the presence of the encrypted password significantly raises the risk of successful brute-force or dictionary attacks to recover the plain-text password.
Specifically, the vulnerable endpoint allows retrieval of the log file without requiring valid credentials.
Example vulnerable endpoint (Illustrative): /rpc/get_log_file
CVSS Analysis
Due to the severity of the impact, this vulnerability would typically receive a high CVSS score if assessed. However, information related to the CVSS score or severity level is not currently available in the provided information. Given the ability to retrieve administrator credentials without authentication, a severity score of 7.5 to 9.8 is likely if formally assessed and considering confidentiality impact.
Possible Impact
Successful exploitation of CVE-2025-13315 can have severe consequences:
- Complete System Compromise: An attacker obtaining the administrator credentials can gain full control of the Twonky Server and the media it serves.
- Data Breach: Access to media files and potentially other connected devices or networks becomes possible.
- Malware Distribution: The compromised server can be used to distribute malware to connected clients.
- Denial of Service: The server can be rendered unusable, disrupting media streaming services.
Mitigation or Patch Steps
Unfortunately, as of the latest information, there does not appear to be a patch available. The recommended mitigation steps are:
- Disable Twonky Server: If possible, disable the Twonky Server until a patch is released.
- Restrict Network Access: Limit network access to the Twonky Server to only trusted devices. Place the server behind a firewall and carefully control inbound traffic.
- Monitor Network Traffic: Monitor network traffic to and from the Twonky Server for any suspicious activity.
- Change Default Credentials (If Possible): If the software allows changing the default admin credentials (even if encrypted, a new key is generated), change them immediately and use a strong, unique password.
Important: Monitor the Twonky Server vendor’s website and security advisories for updates and patches regarding this vulnerability.
