Skip to content

CVE-2025-13315, CVE-2025-13316 Critical Twonky Server Authen... #1612

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
+52 −0
Closed

CVE-2025-13315, CVE-2025-13316 Critical Twonky Server Authen... #1612

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 52 additions & 0 deletions src/pentesting-web/web-vulnerabilities-methodology.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,55 @@ There are several specific functionalities where some workarounds might be usefu
- [ ] [**Reset Forgotten Password Bypass**](reset-password.md)
- [ ] [**Registration Vulnerabilities**](registration-vulnerabilities.md)

#### Routing/path-prefix authentication bypass

Many embedded web servers register multiple URI prefixes that resolve to the same RPC handlers, yet only enforce authentication on the documented path. When an undocumented prefix skips the auth middleware, every privileged handler hanging from it becomes reachable anonymously.

**Example – Twonky Server 8.5.2 (CVE-2025-13315).** Twonky added access checks to `/rpc/*` after earlier disclosures, but the binary still routes the same handlers through `/nmc/rpc/*` without any credential checks. A single unauthenticated request leaks the full application logs:

```http
GET /nmc/rpc/log_getfile HTTP/1.1
Host: target.example
```

The alternate prefix also exposes operational endpoints such as `/nmc/rpc/stop`, `/nmc/rpc/stream_active`, `/nmc/rpc/byebye`, and `/nmc/rpc/wakeup`, letting an attacker shut the service down or query its status without authentication.

**Attack workflow.**

1. Fingerprint the target (e.g., Twonky replies with `Server: Twonky` headers and discloses its build in `/rpc/info_status`).
2. Issue an unauthenticated request to the hidden prefix (`/nmc/rpc/log_getfile`) to download startup logs that contain the configured `accessuser` and the encrypted `accesspwd` string.
3. Reuse the same prefix against other RPC handlers to invoke privileged actions or pivot to credential recovery.

#### Reversible "encrypted" credentials protected by static symmetric keys

Password “encryption” that relies on globally hardcoded keys is equivalent to cleartext storage. Twonky’s `enc_passwd` routine selects one of 12 Blowfish keys, encrypts the administrator password, and persists/logs it as `||{HEX_INDEX}{HEX_CIPHERTEXT}`. Any attacker that obtains that string (e.g., through the log leak above) can deterministically decrypt it because the key list is embedded in every binary.

**Static Blowfish key table (Twonky 8.5.2).**

| Index (hex) | Key |
| --- | --- |
| 0 | `E8ctd4jZwMbaV587` |
| 1 | `TGFWfWuW3cw28trN` |
| 2 | `pgqYY2g9atVpTzjY` |
| 3 | `KX7q4gmQvWtA8878` |
| 4 | `VJjh7ujyT8R5bR39` |
| 5 | `ZMWkaLp9bKyV6tXv` |
| 6 | `KMLvvq6my7uKkpxf` |
| 7 | `jwEkNvuwYCjsDzf5` |
| 8 | `FukE5DhdsbCjuKay` |
| 9 | `SpKNj6qYQGjuGMdd` |
| A | `qLyXuAHPTF2cPGWj` |
| B | `rKz7NBhM3vYg85mg` |

**Decryption workflow (CVE-2025-13316).**

1. Strip the leading `||` and parse the first hex digit to obtain the key index (e.g., `||7...` → index `7`).
2. Load the corresponding Blowfish key from the static table above.
3. Hex-decode the remaining ciphertext and run Blowfish/ECB decryption to recover the administrator password. Rapid7’s Metasploit module `auxiliary/gather/twonky_authbypass_logleak` automates this flow.
4. Authenticate to the web UI or the documented `/rpc/*` endpoints using the recovered credentials for full administrative control.

Because the keys never change across installations, every leak of the `||{HEX_INDEX}{HEX_CIPHERTEXT}` blob (logs, backups, HTTP responses, support bundles, etc.) immediately hands attackers reusable administrative credentials across deployments.

### **Structured objects / Specific functionalities**

Some functionalities will require the **data to be structured in a very specific format** (like a language serialized object or XML). Therefore, it's easier to identify if the application might be vulnerable as it needs to be processing that kind of data.\
Expand Down Expand Up @@ -131,5 +180,8 @@ These vulnerabilities might help to exploit other vulnerabilities.
- [ ] [**Parameter Pollution**](parameter-pollution.md)
- [ ] [**Unicode Normalization vulnerability**](unicode-injection/index.html)

## References

- [Rapid7 - CVE-2025-13315, CVE-2025-13316: Twonky Server authentication bypass](https://www.rapid7.com/blog/post/cve-2025-13315-cve-2025-13316-critical-twonky-server-authentication-bypass-not-fixed)

{{#include ../banners/hacktricks-training.md}}