Zero-Day Warning: Unpatched Twonky Server Flaws Expose Media to Total Takeover (CVE-2025-13315 & CVE-2025-13316)

Estimated reading time: 7 minutes

Key Takeaways:

  • Critical zero-day vulnerabilities discovered in Twonky Server.
  • Vendor, Lynx Technology, is unresponsive, with no patch available.
  • Attackers can bypass authentication and gain full administrative control.
  • Immediate user action is required to mitigate the risks.
  • PurpleOps offers services to help protect against such threats.

Table of Contents:

The Twonky Server Zero-Day Double Threat: CVE-2025-13315 and CVE-2025-13316

A critical security advisory has been issued regarding Twonky Server, a media server software commonly found on Network Attached Storage (NAS) devices and routers. Researchers at Rapid7 have discovered two significant vulnerabilities that could allow attackers to bypass authentication and gain complete control of the server. The vendor, Lynx Technology, has reportedly ceased communication and has not released a fix, making this a zero-day vulnerability.

The attack involves two distinct vulnerabilities that, when used together, grant attackers full administrative privileges. The vulnerabilities affect Twonky Server version 8.5.2, which is currently the latest available version.

  1. API Access Bypass (CVE-2025-13315, CVSS 9.3)

    The first vulnerability is rated critical, with a CVSS score of 9.3. It involves an improper API access control. While previous attempts were made to secure the /rpc web API, researchers found that using the prefix /nmc/rpc allows attackers to completely bypass authentication checks.

    An unauthenticated remote attacker can bypass web service API authentication controls to leak a log file, gaining access to the administrator’s username and encrypted password. This constitutes a significant compromise, as it opens the door for further exploitation.

  2. Password Decryption via Hardcoded Keys (CVE-2025-13316)

    The second vulnerability concerns the method by which Twonky Server encrypts administrator credentials. The software employs static, hardcoded keys for encryption. Because these keys are identical across all installations of Twonky Server, they can be easily exploited by an attacker.

    Once an attacker obtains the encrypted administrator password from the leaked log file (via CVE-2025-13315), they can decrypt it into plain text using these hardcoded keys, immediately elevating their access.

Hacker exploiting Twonky Server vulnerabilities remotely

The combined effect of these vulnerabilities results in the unauthenticated attacker obtaining plain text administrator credentials. This provides full administrator access to the Twonky Server instance and control over all stored media files. The implications of this are substantial, as it allows for data theft, manipulation, and potentially the use of the compromised server as a point of entry into the broader network. This could lead to a larger breach detection scenario.

Vendor Non-Response: Implications and Actions

Perhaps as concerning as the vulnerabilities themselves is the apparent lack of response from Lynx Technology, the vendor behind Twonky Server. Rapid7 followed standard disclosure procedures, but after acknowledging receipt of the vulnerability report, the vendor reportedly ceased communication.

According to Rapid7, the vendor stated that a patch would not be possible, even with an extended disclosure timeline. Subsequent follow-up attempts by Rapid7 were also unsuccessful. This leaves an estimated 850 Twonky Server services exposed to the public internet and countless others on internal networks without an official fix.

Mitigating the Twonky Server Vulnerabilities: User Actions

Given the absence of a patch from the vendor, Twonky Server users must take immediate action to protect their systems and networks. The primary mitigation strategy is network segmentation.

It is strongly advised that organizations and individuals restrict Twonky Server traffic to only trusted IP addresses. This limits the potential attack surface and reduces the risk of unauthorized access. Due to the nature of the exploit, it should be assumed that any administrator credentials configured in Twonky Server have been compromised. It is necessary to rotate credentials on any accounts used with the application to limit potential damage.

Practical Takeaways and Actions:

  • Immediate Network Segmentation: Isolate Twonky Server within a segmented network to limit its exposure.
  • Restrict Access: Only allow trusted IP addresses to communicate with the Twonky Server.
  • Credential Rotation: Assume administrator credentials have been compromised and change them immediately.
  • Disable Remote Access: If remote access to Twonky Server is not required, disable it entirely.
  • Monitor Network Traffic: Implement breach detection measures and carefully monitor network traffic for any suspicious activity related to Twonky Server.
  • Consider Alternatives: Evaluate alternative media server solutions that are actively maintained and patched.
  • Implement a dark web monitoring service: Look for leaked credentials that can lead to compromises.

Technical Audience:

  • Implement strict firewall rules to control access to the Twonky Server.
  • Use intrusion detection systems (IDS) to monitor for malicious activity.
  • Review server logs regularly for any signs of unauthorized access attempts.

Business Leaders:

  • Understand the risks associated with using unpatched software.
  • Ensure that your organization has a robust vulnerability management process in place.
  • Allocate resources to mitigate the risks associated with this vulnerability.
  • Consult with cybersecurity experts to assess the impact of this vulnerability on your organization.

How PurpleOps Can Help

PurpleOps provides a range of services that can help organizations identify, assess, and mitigate cybersecurity risks like those posed by the Twonky Server vulnerabilities. Our cyber threat intelligence platform can provide you with early warnings about emerging threats and vulnerabilities. We also offer supply-chain risk monitoring to help you assess the security posture of your third-party vendors and identify potential weaknesses in your supply chain.

Our dark web monitoring service can help you identify if your credentials or sensitive data have been leaked on the dark web. We can also provide real-time ransomware intelligence to help you proactively defend against ransomware attacks. PurpleOps can help you enhance your organization’s overall security posture and protect your critical assets.

Considering the potential for brand leak alerting stemming from a compromised media server, proactive monitoring and swift response are crucial. Early detection and containment can significantly reduce the impact of such incidents.

To learn more about how PurpleOps can help you protect your organization from cyber threats, please visit our website or contact us for more information.

The unpatched Twonky Server vulnerabilities highlight the importance of proactive security measures and the need for organizations to take responsibility for their own security, especially when vendors fail to provide timely patches or support.

FAQ

Q: What is Twonky Server?
A: Twonky Server is a media server software used to share media files across devices on a network.

Q: What are the CVEs associated with these vulnerabilities?
A: The CVEs are CVE-2025-13315 and CVE-2025-13316.

Q: What versions of Twonky Server are affected?
A: Twonky Server version 8.5.2 is confirmed to be affected.

Q: Is there a patch available for these vulnerabilities?
A: No, the vendor has not released a patch and is reportedly unresponsive.

Q: What can I do to protect my system?
A: Implement network segmentation, restrict access to trusted IP addresses, rotate credentials, and monitor network traffic.