Critical Twonky Server Vulnerabilities Let Attackers Bypass Authentication

Twonky Server version 8.5.2 contains two critical authentication bypass vulnerabilities that allow unauthenticated attackers to gain full administrative access to the media server software.

Rapid7 discovered that the vulnerabilities can be chained together to compromise administrator accounts without any user interaction or valid credentials. The vulnerabilities affect Twonky Server installations on both Linux and Windows platforms.

Twonky Server is widely deployed in network-attached storage (NAS) devices, routers, set-top boxes, and gateways worldwide. With approximately 850 instances currently exposed to the public internet, according to Shodan data.

Vulnerabilities Let Attackers Bypass Authentication

The first vulnerability (CVE-2025-13315) allows attackers to bypass API authentication controls through an alternative routing mechanism.

By using the “/nmc/rpc/” prefix instead of the standard “/rpc/” path, attackers can access the log_getfile endpoint without authentication.

This endpoint exposes application logs containing the administrator’s username and encrypted password.

The second vulnerability (CVE-2025-13316) makes password decryption easy. Twonky Server uses hardcoded Blowfish encryption keys across all installations.

CVE	Description	CVSS Score
CVE-2025-13315	API authentication bypass via alternative routing	9.3 (Critical)
CVE-2025-13316	Hardcoded encryption keys enable password decryption	8.2 (High)

Rapid7 researchers identified twelve static keys embedded in the compiled binary, meaning any attacker with knowledge of the encrypted password can decrypt it to plaintext using these publicly available keys.

Rapid7 correctly reported these vulnerabilities to Lynx Technology, the vendor behind Twonky Server.

However, the vendor ceased communications after acknowledging receipt of the technical disclosure and stated that patches would not be possible.

Version 8.5.2 remains the latest available release with no security updates. Organizations using Twonky Server should immediately restrict application traffic to trusted IP addresses only.

All administrator credentials should be considered compromised and rotated if the server is exposed to untrusted networks.

Rapid7 has released a Metasploit module that demonstrates the complete exploitation chain and plans to provide detection capabilities in its vulnerability scanning tools.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.