CVE-2025-13315 CRITICAL

CVE-2025-13315: Unauthenticated log access in Twonky Server

Vendor Lynxtechnology
Product Twonky Server
Weakness CWE-420
Published November 19, 2025
Last update November 19, 2025

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Twonky Server 8.5.2 on Linux and Windows is vulnerable to an access control flaw. An unauthenticated attacker can bypass web service API authentication controls to leak a log file and read the administrator's username and encrypted password.

Key dates

02Disclosure timeline

November 19, 2025 CVE published
November 19, 2025 Record updated