CVE-2025-13315

high-risk

Published 2025-11-19

Twonky Server 8.5.2 on Linux and Windows is vulnerable to an access control flaw. An unauthenticated attacker can bypass web service API authentication controls to leak a log file and read the administrator's username and encrypted password.

Do I need to act?

82.4% chance of exploitation in next 30 days

EPSS score — higher than 18% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (1)

Twonky Server

Affected Vendors

Lynxtechnology

References (1)

Exploit https://www.rapid7.com/blog/post/cve-2025-13315-cve-2025-13316-critical-twonky-s...

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 20/34 · Moderate

Exposure 5/34 · Minimal