CVE-2025-13315 | THREATINT

Description

Twonky Server 8.5.2 on Linux and Windows is vulnerable to an access control flaw. An unauthenticated attacker can bypass web service API authentication controls to leak a log file and read the administrator's username and encrypted password.

PUBLISHED Reserved 2025-11-17 | Published 2025-11-19 | Updated 2025-11-19 | Assigner rapid7

CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-420: Unprotected Alternate Channel

Product status

Default status

unaffected

8.5.2

affected

Credits

Ryan Emmons, Staff Security Researcher at Rapid7 finder

References

www.rapid7.com/...ky-server-authentication-bypass-not-fixed/

cve.org (CVE-2025-13315)

nvd.nist.gov (CVE-2025-13315)

Download JSON