CVE-2025-13316

Published Nov 19, 2025

Last updated 3 months ago

CVSS high 8.2

Overview

Description
Twonky Server 8.5.2 on Linux and Windows is vulnerable to a cryptographic flaw, use of hard-coded cryptographic keys. An attacker with knowledge of the encrypted administrator password can decrypt the value with static keys to view the plain text password and gain administrator-level access to Twonky Server.
Source
cve@rapid7.com
NVD status
Analyzed
Products
twonky_server

Risk scores

CVSS 4.0

Type
Secondary
Base score
8.2
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
HIGH

CVSS 3.1

Type
Primary
Base score
8.1
Impact score
5.9
Exploitability score
2.2
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

cve@rapid7.com
CWE-321

Social media

Hype score
Not currently trending

  1. 🚨 Twonky Auth Bypass, RCEs, and RISC-V Reverse Shell Payloads disclosed in Metasploit Framework this week, including CVE-2025-13315 and CVE-2025-13316. #cybersecurity https://t.co/JLR8QUYCu7

    @not2cleverdotme

    6 Dec 2025

    47 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  2. QNAPとかで使っている人もいると思いますのでご注意を! 🚨🚨🚨 CVE-2025-13315, CVE-2025-13316: Critical Twonky Server Authentication Bypass (NOT FIXED) https://t.co/wj3fj79MuR

    @autumn_good_35

    27 Nov 2025

    2490 Impressions

    6 Retweets

    19 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Twonky Server 8.5.2 on Linux and Windows is vulnerable to an access control flaw. An unauthenticated attacker can bypass web service API authentication controls to leak a log file and read the administrator's username and encrypted password.CVE-2025-13315

References

Sources include official advisories and independent security research.