Twonky Server model 8.5.2 comprises two important authentication bypass vulnerabilities that enable unauthenticated attackers to steal administrator credentials and take full management of the media server.
Safety researchers at Rapid7 found that an attacker can leak encrypted admin passwords via an unprotected API endpoint, then decrypt them utilizing hardcoded encryption keys embedded immediately within the software binary.
The seller has refused to concern patches, leaving the estimated 850 publicly uncovered situations at fast threat.
How the Assault Works
The vulnerability chain combines two separate flaws into an entire authentication bypass.
First, attackers exploit an API access-control bypass (CVE-2025-13315) by sending requests to the /nmc/rpc/log_getfile endpoint with out authentication credentials.
This endpoint was imagined to be protected, however stays accessible via different routing.
When accessed, the endpoint returns software log information containing the administrator’s encrypted password.
The second vulnerability (CVE-2025-13316) renders the stolen encrypted password ineffective for protection.
Twonky Server makes use of Blowfish encryption to guard administrator passwords, however the encryption keys are hardcoded immediately within the compiled binary.
The applying shops passwords within the format ||{KEY_INDEX}{ENCRYPTED_PASSWORD}, making it trivial for attackers to determine which of the twelve hardcoded keys was used for encryption.
With this info, attackers can decrypt the password in seconds utilizing publicly obtainable Blowfish libraries.
As soon as an attacker features administrator credentials, they’ve full management over the Twonky Server occasion.
This contains entry to all saved media information, the power to close down the server, modify configurations, and probably pivot to different methods on the community.
Twonky Server sometimes runs on NAS units, routers, and embedded methods, making profitable compromises significantly harmful in house and small enterprise environments.
The Metasploit module launched with this disclosure demonstrates the whole exploitation chain: an attacker can extract encrypted credentials in seconds and decrypt them to acquire plain-text admin passwords.
No specialised instruments or superior exploitation strategies are required—the assault might be carried out with fundamental data of HTTP requests and Blowfish encryption.
In line with Shodan knowledge, roughly 850 Twonky Server situations are at present uncovered to the general public web.
Most customers probably do not know their media servers are accessible on-line or weak to takeover.
The seller’s determination to cease speaking after receiving the disclosure and its specific refusal to patch the vulnerabilities imply that affected customers should defend themselves with out vendor assist.
Organizations and people working Twonky Server 8.5.2 ought to instantly assume administrator credentials are compromised.
Prohibit all Twonky Server site visitors to trusted IP addresses solely. In case your server is uncovered to the web, disconnect it or place it behind a firewall.
Contemplate different media server options that obtain energetic safety assist.
If you happen to can not keep away from utilizing Twonky Server, implement community segmentation and monitor for suspicious authentication exercise in your units.
The dearth of vendor response demonstrates the dangers of deploying unsupported software program in networked environments. Till patches turn into obtainable, defensive community configuration is your solely possibility.
Observe us on Google Information, LinkedIn, and X to Get Instantaneous Updates and set GBH as a Most well-liked Supply in Google.
