vulnerability

Twonky Server: CVE-2025-13316: Use of Hard-coded Cryptographic Key

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
8	(AV:N/AC:H/Au:N/C:C/I:C/A:C)	Nov 19, 2025	Nov 19, 2025	Nov 20, 2025

Severity

CVSS

(AV:N/AC:H/Au:N/C:C/I:C/A:C)

Published

Nov 19, 2025

Added

Nov 19, 2025

Modified

Nov 20, 2025

Description

Twonky Server 8.5.2 on Linux and Windows is vulnerable to a cryptographic flaw, use of hard-coded cryptographic keys. An attacker with knowledge of the encrypted administrator password can decrypt the value with static keys to view the plain text password and gain administrator-level access to Twonky Server.

Solution

misc-no-solution-exists

References

CVE-2025-13316
https://attackerkb.com/topics/CVE-2025-13316
URL-https://www.rapid7.com/blog/post/cve-2025-13315-cve-2025-13316-critical-twonky-server-authentication-bypass-not-fixed/
CWE-321

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today