CVE-2025-13315

CRITICAL EXPLOITED NUCLEI

Twonky Server Log Leak Authentication Bypass

Title source: metasploit

Description

Twonky Server 8.5.2 on Linux and Windows is vulnerable to an access control flaw. An unauthenticated attacker can bypass web service API authentication controls to leak a log file and read the administrator's username and encrypted password.

Exploits (2)

metasploit WORKING POC

by remmons-r7 · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/twonky_authbypass_logleak.rb

View Code ZIP pw:eip

vulncheck_xdb

remote

https://github.com/Ashwesker/Blackash-CVE-2025-13315

View on vulncheck_xdb

Nuclei Templates (1)

Twonky Server 8.5.2 on Linux and Windows - Log File Exposure

CRITICALVERIFIEDby pussycat0x

References (1)

[Exploit, Third Party Advisory] https://www.rapid7.com/blog/post/cve-2025-13315-cve-2025-13316-critical-twonky-server-authentication-bypass-not-fixed/

Scores

CVSS v3 9.8

EPSS 0.8237

EPSS Percentile 99.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation Intel

VulnCheck KEV 2025-12-15

Classification

CWE

CWE-420

Status published

Affected Products (1)

lynxtechnology/twonky_server

Timeline

Published Nov 19, 2025

Tracked Since Feb 18, 2026