CVE 9.3 CRITICAL

Unauthenticated log access in Twonky Server_CVE-2025-13315

November 19, 2025 invoker category_cve

9.3 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Twonky Server 8.5.2 on Linux and Windows is vulnerable to an access control flaw. An unauthenticated attacker can bypass web service API authentication controls to leak a log file and read the administrator's username and encrypted password.

AI Analysis

Unauthenticated access control flaw in Twonky Server allowing log file leak and reading of administrator's username and encrypted password

Basic Information

ID CVE-2025-13315

Source rapid7

Published Nov 19, 2025 at 17:41

Modified Nov 19, 2025 at 18:20

Affected Product

Vendor Lynxtechnology

Product Twonky Server

Version 8.5.2

Affected Versions Lynxtechnology Twonky Server 8.5.2

CWE Classification

CWE-420

AI Assessment

AI Score 9.3 / 10

AI Severity Critical

Vendor Lynxtechnology

Product Twonky Server

Version 8.5.2

References

www.rapid7.com /blog/post/cve-2025-13315-cve-2025-13316-critical-twonky-server-authentication-bypass-not-fixed/

{
    "lastseen": "",
    "description": "Twonky Server 8.5.2 on Linux and Windows is vulnerable to an access control flaw. An unauthenticated attacker can bypass web service API authentication controls to leak a log file and read the administrator's username and encrypted password.",
    "published": "2025-11-19T17:41:36.996Z",
    "modified": "2025-11-19T18:20:50.718Z",
    "type": "cve",
    "title": "Unauthenticated log access in Twonky Server",
    "source": "rapid7",
    "references": "https://www.rapid7.com/blog/post/cve-2025-13315-cve-2025-13316-critical-twonky-server-authentication-bypass-not-fixed/",
    "id": "CVE-2025-13315",
    "bulletinFamily": "",
    "cwe": [
        "CWE-420"
    ],
    "cvelist": null,
    "sourceData": "Lynxtechnology Twonky Server 8.5.2",
    "sourceHref": "",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Twonky Server",
    "version": "8.5.2",
    "vendor": "Lynxtechnology",
    "ai_description": "Unauthenticated access control flaw in Twonky Server allowing log file leak and reading of administrator's username and encrypted password",
    "ai_severity": "Critical",
    "ai_vendor": "Lynxtechnology",
    "ai_product": "Twonky Server",
    "ai_version": "8.5.2",
    "ai_score": 9.3
}

💭 Join the Security Discussion ❌ Cancel Reply