CVE-2025-13315

CVE-2025-13315 is an access control vulnerability (CWE-420) affecting Twonky Server version 8.5.2 on both Linux and Windows platforms. The flaw enables an unauthenticated attacker to bypass authentication controls in the web service API, leading to the leakage of a log file that exposes the administrator's username and encrypted password. Published on 2025-11-19, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical due to its high impact on confidentiality, integrity, and availability.

Any unauthenticated attacker with network access to the affected Twonky Server instance can exploit this vulnerability remotely with low attack complexity and no privileges or user interaction required. Exploitation involves bypassing the web service API authentication to access and read the log file, yielding the administrator's credentials. This initial foothold could facilitate further attacks, such as authentication with the leaked credentials or escalation depending on the server's configuration.

The primary advisory reference is a Rapid7 blog post detailing CVE-2025-13315 alongside CVE-2025-13316 as critical Twonky Server authentication bypass issues that have not been fixed: https://www.rapid7.com/blog/post/cve-2025-13315-cve-2025-13316-critical-twonky-server-authentication-bypass-not-fixed/. Security practitioners should isolate affected instances, monitor for log file access attempts, and seek vendor updates, as no patches are indicated in available references.