Zero-Day Warning: Unpatched Twonky Server Flaws Expose Media to Total Takeover (CVE-2025-13315 & CVE-2025-13316) (CVSS 9.3)
Estimated reading time: 8 minutes
Key takeaways:
- Critical vulnerabilities (CVE-2025-13315 & CVE-2025-13316) in Twonky Server allow for complete takeover.
- Vendor, Lynx Technology, is unresponsive and will not release a patch.
- Immediate user action is required to mitigate the risk, primarily through network segmentation and credential resets.
Table of Contents:
- The “Zero-Day” Double Threat to Twonky Server
- API Access Leak (CVE-2025-13315)
- Password Decryption (CVE-2025-13316)
- Vendor Non-Response: A Patch is Not Possible
- Immediate User Actions and Mitigation Strategies
- Practical Takeaways for Technical Readers
- Practical Takeaways for Non-Technical Readers and Business Leaders
- How PurpleOps Can Help
- FAQ
The “Zero-Day” Double Threat to Twonky Server
A critical security advisory has been issued concerning Twonky Server, a media server software commonly found on Network Attached Storage (NAS) devices and routers. Researchers at Rapid7 have discovered two significant vulnerabilities that, when combined, allow attackers to bypass authentication and gain complete control of the server and its stored media. The vendor, Lynx Technology, has reportedly ceased communication and has not released a patch, leaving numerous users vulnerable. This situation necessitates immediate user action to mitigate the risk. The attack chain relies on two distinct vulnerabilities (CVE-2025-13315 and CVE-2025-13316) that, when combined, offer attackers the keys to the kingdom.
The core of the issue revolves around two vulnerabilities discovered in Twonky Server version 8.5.2, the latest available version. These vulnerabilities, CVE-2025-13315 and CVE-2025-13316, when exploited together, grant an attacker full administrative access.
API Access Leak (CVE-2025-13315)
The first vulnerability, CVE-2025-13315, is rated as Critical with a CVSS score of 9.3. This is an improper API access vulnerability. Previous attempts to secure the /rpc web API were found to be circumventable. Attackers can use the prefix /nmc/rpc to bypass authentication checks. This allows an unauthenticated remote attacker to leak a log file, gaining access to the administrator’s username and encrypted password. This initial breach acts as the gateway for the subsequent exploitation. This relates to the wider threat of supply-chain risk monitoring.
Password Decryption (CVE-2025-13316)
The second vulnerability, CVE-2025-13316, comes into play once the attacker has obtained the encrypted password from the leaked log file. Twonky Server uses static, hardcoded keys to encrypt administrator credentials. These keys are consistent across different installations, making them easily obtainable and usable for decryption. An attacker with the encrypted administrator password can decrypt it into plain text using these hardcoded keys. This decryption provides the attacker with full administrator access to the Twonky Server instance, enabling control over all stored media files.
The combination of these two vulnerabilities results in a complete compromise, allowing an unauthenticated attacker to gain plain text administrator credentials and full control of the Twonky Server.
Vendor Non-Response: A Patch is Not Possible
Adding to the severity of the situation is the vendor’s lack of response. Rapid7 followed standard disclosure procedures, informing Lynx Technology about the vulnerabilities. While the vendor acknowledged the report, they subsequently ceased communication, stating that a patch would not be possible, even with an extended disclosure timeline. Further follow-up attempts by Rapid7 were unsuccessful. This vendor inaction leaves an estimated 850 publicly exposed Twonky Server services, along with countless others on internal networks, without an official fix, and highlights the importance of understanding supply chain information security.
Immediate User Actions and Mitigation Strategies
Given the absence of a patch, Twonky Server users must take proactive measures to secure their systems. The primary recommendation is network segmentation. Restricting Twonky Server traffic to only trusted IP addresses can significantly reduce the attack surface. Due to the nature of the exploit, all administrator credentials configured in Twonky Server should be considered compromised. Resetting these credentials on any systems where they may have been reused is essential.
Practical Takeaways for Technical Readers:
- Network Segmentation: Implement network segmentation to isolate the Twonky Server from the broader network. Use firewalls to restrict traffic to and from the server, allowing only necessary connections.
- Access Control Lists (ACLs): Configure ACLs on your firewall to permit only trusted IP addresses to communicate with the Twonky Server. Regularly review and update these ACLs.
- Credential Reset: Assume that all administrator credentials used with Twonky Server have been compromised. Immediately reset these credentials on the Twonky Server and any other systems where they may have been reused.
- Log Monitoring: Enable and monitor logs on the Twonky Server and related network devices. Look for unusual activity, such as unauthorized access attempts or unexpected data transfers. This can be achieved using a cyber threat intelligence platform.
- Disable Remote Access: If remote access to the Twonky Server is not necessary, disable it. This reduces the attack surface and limits the potential for remote exploitation.
- Implement a Web Application Firewall (WAF): A WAF can help to filter out malicious traffic and prevent exploitation of web-based vulnerabilities like the one in Twonky Server.
Practical Takeaways for Non-Technical Readers and Business Leaders:
- Inventory Assessment: Identify all instances of Twonky Server running on your network. Understand where these servers are located and what data they have access to.
- Risk Prioritization: Assess the risk associated with each Twonky Server instance. Consider the sensitivity of the data stored on the server and the potential impact of a successful attack.
- Communication with IT: Communicate the risks associated with Twonky Server to your IT department or managed service provider. Ensure they are aware of the vulnerabilities and are taking appropriate steps to mitigate the risk.
- Budget Allocation: Allocate budget for security measures to protect Twonky Servers. This may include investments in firewalls, intrusion detection systems, or security consulting services.
- Training and Awareness: Provide training to employees on the risks associated with unpatched software and the importance of following security best practices.
- Consult with Cybersecurity Experts: Engage with cybersecurity experts to conduct a thorough assessment of your Twonky Server deployment and develop a comprehensive security plan.
How PurpleOps Can Help
PurpleOps offers a range of PurpleOps Solutions that can assist in identifying, monitoring, and mitigating threats like the Twonky Server vulnerabilities. Our cyber threat intelligence platform provides real-time ransomware intelligence and comprehensive breach detection capabilities. This includes:
- Dark Web Monitoring Service: PurpleOps’ dark web monitoring service can identify if your credentials or sensitive data related to your Twonky Server have been exposed on the dark web. This service uses underground forum intelligence to gather information about potential threats.
- Telegram Threat Monitoring: Our platform also includes Telegram threat monitoring, which can alert you to discussions or activities related to the Twonky Server vulnerabilities in relevant Telegram channels.
- Live Ransomware API: The live ransomware API provides up-to-date information on ransomware threats, helping you understand the potential risks associated with unpatched vulnerabilities like those in Twonky Server.
- Brand Leak Alerting: PurpleOps provides brand leak alerting to notify you if sensitive information related to your organization is leaked online, potentially through compromised Twonky Servers.
These services can help organizations proactively address the risks posed by unpatched vulnerabilities and protect their valuable assets.
Given the severity of these unpatched vulnerabilities in Twonky Server and the lack of vendor support, immediate action is required. Understanding the vulnerabilities and taking appropriate mitigation steps is crucial to preventing potential compromise. Consider leveraging services like PurpleOps’ cyber threat intelligence platform to enhance your security posture and protect against emerging threats, through tools such as a dark web monitoring service.
To learn more about how PurpleOps can help you protect your organization from vulnerabilities like these, please explore our PurpleOps Solutions or contact us for a consultation. We also offer Red Team Operations and . To learn how PurpleOps can help you to Protect from Ransomware and Supply Chain Attacks, please visit our website.
FAQ
Q: What is Twonky Server?
A: Twonky Server is media server software commonly found on Network Attached Storage (NAS) devices and routers.
Q: What are CVE-2025-13315 and CVE-2025-13316?
A: These are two critical vulnerabilities discovered in Twonky Server version 8.5.2 that, when exploited together, grant an attacker full administrative access.
Q: Is there a patch available for these vulnerabilities?
A: No, the vendor, Lynx Technology, has ceased communication and will not release a patch.
Q: What can I do to protect my Twonky Server?
A: The primary recommendation is network segmentation. Restricting Twonky Server traffic to only trusted IP addresses can significantly reduce the attack surface. Also, reset all administrator credentials.
Q: How can PurpleOps help?
A: PurpleOps offers a range of services, including dark web monitoring and real-time ransomware intelligence, to help identify, monitor, and mitigate threats like the Twonky Server vulnerabilities.