Twonky Server model 8.5.2 incorporates two crucial authentication bypass vulnerabilities that enable unauthenticated attackers to achieve full administrative entry to the media server software program.
Rapid7 found that the vulnerabilities could be chained collectively to compromise administrator accounts with none person interplay or legitimate credentials. The vulnerabilities have an effect on Twonky Server installations on each Linux and Home windows platforms.
Twonky Server is broadly deployed in network-attached storage (NAS) units, routers, set-top packing containers, and gateways worldwide. With roughly 850 situations at the moment uncovered to the general public web, based on Shodan knowledge.
Vulnerabilities Let Attackers Bypass Authentication
The primary vulnerability (CVE-2025-13315) permits attackers to bypass API authentication controls by means of an alternate routing mechanism.
Through the use of the “/nmc/rpc/” prefix as an alternative of the usual “/rpc/” path, attackers can entry the log_getfile endpoint with out authentication.
This endpoint exposes utility logs containing the administrator’s username and encrypted password.
The second vulnerability (CVE-2025-13316) makes password decryption simple. Twonky Server makes use of hardcoded Blowfish encryption keys throughout all installations.
CVEDescriptionCVSS ScoreCVE-2025-13315API authentication bypass by way of various routing9.3 (Crucial)CVE-2025-13316Hardcoded encryption keys allow password decryption8.2 (Excessive)
Rapid7 researchers recognized twelve static keys embedded within the compiled binary, that means any attacker with data of the encrypted password can decrypt it to plaintext utilizing these publicly accessible keys.
Rapid7 appropriately reported these vulnerabilities to Lynx Expertise, the seller behind Twonky Server.
Nevertheless, the seller ceased communications after acknowledging receipt of the technical disclosure and acknowledged that patches wouldn’t be attainable.
Model 8.5.2 stays the most recent accessible launch with no safety updates. Organizations utilizing Twonky Server ought to instantly prohibit utility site visitors to trusted IP addresses solely.
All administrator credentials ought to be thought-about compromised and rotated if the server is uncovered to untrusted networks.
Rapid7 has launched a Metasploit module that demonstrates the entire exploitation chain and plans to offer detection capabilities in its vulnerability scanning instruments.
Observe us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.
