PT-2025-47496 · Plex · Twonky Server

Published

2025-11-19

Updated

2025-12-06

CVE-2025-13315

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Twonky Server versions 8.5.2

Description An unauthenticated attacker can bypass web service API authentication controls to access a log file and retrieve the administrator's username and encrypted password. The issue involves a flaw in access control. The API authentication controls can be bypassed, allowing unauthorized access to sensitive information. The vulnerable API endpoint is not explicitly specified. The username and password of the administrator are exposed in the log file.

Recommendations Update to a newer version that contains a fix for this vulnerability.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-420

Related Identifiers

CVE-2025-13315

Affected Products

Twonky Server

PT-2025-47496 · Plex · Twonky Server

CVE-2025-13315

Weakness Enumeration

Related Identifiers

Affected Products

References · 15