Twonky Server model 8.5.2 incorporates two important authentication bypass vulnerabilities that enable unauthenticated attackers to steal administrator credentials and take full management of the media server.
Safety researchers at Rapid7 found that an attacker can leak encrypted admin passwords by way of an unprotected API endpoint, then decrypt them utilizing hardcoded encryption keys embedded instantly within the software binary.
The seller has refused to situation patches, leaving the estimated 850 publicly uncovered situations at fast danger.
How the Assault Works
The vulnerability chain combines two separate flaws into an entire authentication bypass.
First, attackers exploit an API access-control bypass (CVE-2025-13315) by sending requests to the /nmc/rpc/log_getfile endpoint with out authentication credentials.
This endpoint was alleged to be protected, however stays accessible by way of different routing.
When accessed, the endpoint returns software log information containing the administrator’s encrypted password.
The second vulnerability (CVE-2025-13316) renders the stolen encrypted password ineffective for protection.
Twonky Server makes use of Blowfish encryption to guard administrator passwords, however the encryption keys are hardcoded instantly within the compiled binary.
The appliance shops passwords within the format ||{KEY_INDEX}{ENCRYPTED_PASSWORD}, making it trivial for attackers to establish which of the twelve hardcoded keys was used for encryption.
With this data, attackers can decrypt the password in seconds utilizing publicly obtainable Blowfish libraries.
As soon as an attacker positive factors administrator credentials, they’ve full management over the Twonky Server occasion.
This contains entry to all saved media information, the flexibility to close down the server, modify configurations, and probably pivot to different programs on the community.
Twonky Server usually runs on NAS gadgets, routers, and embedded programs, making profitable compromises significantly harmful in residence and small enterprise environments.
The Metasploit module launched with this disclosure demonstrates the whole exploitation chain: an attacker can extract encrypted credentials in seconds and decrypt them to acquire plain-text admin passwords.
No specialised instruments or superior exploitation strategies are required—the assault could be carried out with primary data of HTTP requests and Blowfish encryption.
In keeping with Shodan knowledge, roughly 850 Twonky Server situations are at the moment uncovered to the general public web.
Most customers probably don’t know their media servers are accessible on-line or susceptible to takeover.
The seller’s choice to cease speaking after receiving the disclosure and its express refusal to patch the vulnerabilities imply that affected customers should defend themselves with out vendor assist.
Organizations and people operating Twonky Server 8.5.2 ought to instantly assume administrator credentials are compromised.
Limit all Twonky Server site visitors to trusted IP addresses solely. In case your server is uncovered to the web, disconnect it or place it behind a firewall.
Contemplate different media server options that obtain lively safety assist.
When you can not keep away from utilizing Twonky Server, implement community segmentation and monitor for suspicious authentication exercise in your gadgets.
The dearth of vendor response demonstrates the dangers of deploying unsupported software program in networked environments. Till patches change into obtainable, defensive community configuration is your solely choice.
Comply with us on Google Information, LinkedIn, and X to Get On the spot Updates and set GBH as a Most well-liked Supply in Google.
