CVE-2025-13315
Published: 19 November 2025
Summary
CVE-2025-13315 is a critical-severity Unprotected Alternate Channel (CWE-420) vulnerability in Lynxtechnology Twonky Server. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AU-9 (Protection of Audit Information).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for logical access to information and system resources, directly preventing the authentication bypass allowing unauthenticated access to the log file containing administrator credentials.
Protects audit information and tools from unauthorized access, modification, and deletion, mitigating leakage of sensitive administrator username and encrypted password from the log file.
Implements least privilege for access to system resources like log files, limiting the impact of authentication bypass by restricting unnecessary access to sensitive credential data.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated exploitation of a public-facing web service API (T1190) to bypass authentication and access a log file containing administrator credentials (T1081).
NVD Description
Twonky Server 8.5.2 on Linux and Windows is vulnerable to an access control flaw. An unauthenticated attacker can bypass web service API authentication controls to leak a log file and read the administrator's username and encrypted password.
Deeper analysisAI
CVE-2025-13315 is an access control vulnerability (CWE-420) affecting Twonky Server version 8.5.2 on both Linux and Windows platforms. The flaw enables an unauthenticated attacker to bypass authentication controls in the web service API, leading to the leakage of a log file that exposes the administrator's username and encrypted password. Published on 2025-11-19, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical due to its high impact on confidentiality, integrity, and availability.
Any unauthenticated attacker with network access to the affected Twonky Server instance can exploit this vulnerability remotely with low attack complexity and no privileges or user interaction required. Exploitation involves bypassing the web service API authentication to access and read the log file, yielding the administrator's credentials. This initial foothold could facilitate further attacks, such as authentication with the leaked credentials or escalation depending on the server's configuration.
The primary advisory reference is a Rapid7 blog post detailing CVE-2025-13315 alongside CVE-2025-13316 as critical Twonky Server authentication bypass issues that have not been fixed: https://www.rapid7.com/blog/post/cve-2025-13315-cve-2025-13316-critical-twonky-server-authentication-bypass-not-fixed/. Security practitioners should isolate affected instances, monitor for log file access attempts, and seek vendor updates, as no patches are indicated in available references.
Details
- CWE(s)