Twonky Server version 8.5.2 contains significant authentication bypass vulnerabilities (CVE-2025-13315, CVE-2025-13316) that allow unauthorized users to access administrative capabilities. The first vulnerability enables bypassing API authentication via an alternative routing method on both Linux and Windows. Attackers can use this flaw to access sensitive application logs containing administrator credentials.
The second vulnerability involves hardcoded encryption keys, which allows decrypted access to passwords embedded in the application. Twelve static encryption keys were found, enabling an attacker to easily obtain plaintext passwords. Reported to Lynx Technology, these vulnerabilities were acknowledged but left unaddressed with no potential patches available, leaving organizations using this software vulnerable. Rapid7 advises restricting access and rotating administrator credentials if exposed to untrusted networks. A Metasploit module illustrating the exploitation has been released alongside plans for detection capabilities.
👉 Pročitaj original: Cyber Security News
