CVE-2025-13316
Analyzed
Published: 19 Nov 2025, 18:15
Last modified:25 Nov 2025, 19:36
Vulnerability Summary
Overall Risk
High Risk
53/100 CVSS Score
8.2 HIGH
CVSS v4.0 (CVE)
EPSS Score
0.05% CRITICAL
0% probability 0.00%
CISA KEV
Not listed
Ransomware
No reports
Exploits
1 found
Dark Web
Not detected
Twonky Server 8.5.2 on Linux and Windows is vulnerable to a cryptographic flaw, use of hard-coded cryptographic keys. An attacker with knowledge of the encrypted administrator password can decrypt the value with static keys to view the plain text password and gain administrator-level access to Twonky Server.
Source Identifier: cve@rapid7.com
| CVSS | Source | Severity | Exploit. | Impact | Vector |
|---|---|---|---|---|---|
| v4.0 | cve@rapid7.com | 8.2 HIGH | NA | NA | CVSS:4.0/AV:N/AC:H/AT:N/P... |
| v3.1 | Primarynvd@nist.gov | 8.1 HIGH | 2.2 | 5.9 | CVSS:3.1/AV:N/AC:H/PR:N/U... |
| v3.0 | n/a | ||||
| v2.0 | n/a | ||||
52.56%
Current Score
0.00%
98%ile
Percentile Rank
0.00%
Loading chart...
Loading chart...
Use of Hard-coded Cryptographic Key CWE-321
Description:The product uses a hard-coded, unchangeable cryptographic key.
Not listed in CISA Known Exploited Vulnerabilities catalog.
No dark web activity detected for this vulnerability.
metasploitauxiliaryVerified
Author: remmons-r7
Updated: 27 Nov 2025, 14:33
This module leverages an authentication bypass in Twonky Server 8.5.2. By exploiting
an authorization flaw to access a privileged web API endpoint and leak application logs,
encrypted administrator credentials are leaked (CVE-2025-13315). The exploit will then decrypt
these credentials using hardcoded keys (CVE-2025-13316) and login as the administrator.
Expected module output is a username and plain text password for the administrator account.
CVE-2025-13315CVE-2025-13316rapid7.com/blog/post/cve-2025-13315-cve-2025-13316-critical-twonky-server-authentication-bypass-not-fixed/
Affected Configurations (CPE)
AND
lynxtechnology twonky_serverVulnerable
Version: 8.5.2
cpe:2.3:a:lynxtechnology:twonky_server:8.5.2:*:*:*:*:*:*:*
linux linux_kernelNot Vulnerable
Version: -
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
microsoft windowsNot Vulnerable
Version: -
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
| URL | Tags | Source |
|---|---|---|
| https://www.rapid7.com/blog/post/cve-2025-13315-cve-2025-13316-critical-twonky-server-authentication-bypass-not-fixed/ | - | cve@rapid7.com |
| https://www.rapid7.com/blog/post/cve-2025-13315-cve-2025-13316-critical-twonky-server-authentication-bypass-not-fixed/ | third party advisory | cve@rapid7.com |