CVE-2025-13316 | THREATINT

Description

Twonky Server 8.5.2 on Linux and Windows is vulnerable to a cryptographic flaw, use of hard-coded cryptographic keys. An attacker with knowledge of the encrypted administrator password can decrypt the value with static keys to view the plain text password and gain administrator-level access to Twonky Server.

PUBLISHED Reserved 2025-11-17 | Published 2025-11-19 | Updated 2025-11-19 | Assigner rapid7

HIGH: 8.2CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-321: Use of Hard-coded Cryptographic Key

Product status

Default status

unaffected

8.5.2

affected

Credits

Ryan Emmons, Staff Security Researcher at Rapid7 finder

References

www.rapid7.com/...ky-server-authentication-bypass-not-fixed/

cve.org (CVE-2025-13316)

nvd.nist.gov (CVE-2025-13316)

Download JSON