Twonky Server version 8.5.2 contains two critical authentication bypass vulnerabilities that allow unauthenticated attackers to steal administrator credentials and take complete control of the media server.
Security researchers at Rapid7 discovered that an attacker can leak encrypted admin passwords through an unprotected API endpoint, then decrypt them using hardcoded encryption keys embedded directly in the application binary.
The vendor has refused to issue patches, leaving the estimated 850 publicly exposed instances at immediate risk.
How the Attack Works
The vulnerability chain combines two separate flaws into a complete authentication bypass.
First, attackers exploit an API access-control bypass (CVE-2025-13315) by sending requests to the /nmc/rpc/log_getfile endpoint without authentication credentials.
This endpoint was supposed to be protected, but remains accessible through alternative routing.
When accessed, the endpoint returns application log files containing the administrator’s encrypted password.
The second vulnerability (CVE-2025-13316) renders the stolen encrypted password useless for defense.
Twonky Server uses Blowfish encryption to protect administrator passwords, but the encryption keys are hardcoded directly in the compiled binary.
The application stores passwords in the format ||{KEY_INDEX}{ENCRYPTED_PASSWORD}, making it trivial for attackers to identify which of the twelve hardcoded keys was used for encryption.
With this information, attackers can decrypt the password in seconds using publicly available Blowfish libraries.
Once an attacker gains administrator credentials, they have complete control over the Twonky Server instance.
This includes access to all stored media files, the ability to shut down the server, modify configurations, and potentially pivot to other systems on the network.
Twonky Server typically runs on NAS devices, routers, and embedded systems, making successful compromises particularly dangerous in home and small business environments.
The Metasploit module released with this disclosure demonstrates the complete exploitation chain: an attacker can extract encrypted credentials in seconds and decrypt them to obtain plain-text admin passwords.
No specialized tools or advanced exploitation techniques are required—the attack can be performed with basic knowledge of HTTP requests and Blowfish encryption.
According to Shodan data, approximately 850 Twonky Server instances are currently exposed to the public internet.
Most users likely have no idea their media servers are accessible online or vulnerable to takeover.
The vendor’s decision to stop communicating after receiving the disclosure and its explicit refusal to patch the vulnerabilities mean that affected users must defend themselves without vendor support.
Organizations and individuals running Twonky Server 8.5.2 should immediately assume administrator credentials are compromised.
Restrict all Twonky Server traffic to trusted IP addresses only. If your server is exposed to the internet, disconnect it or place it behind a firewall.
Consider alternative media server solutions that receive active security support.
If you cannot avoid using Twonky Server, implement network segmentation and monitor for suspicious authentication activity on your devices.
The lack of vendor response demonstrates the risks of deploying unsupported software in networked environments. Until patches become available, defensive network configuration is your only option.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and set GBH as a Preferred Source in Google.