• Hello and welcome! Register to enjoy full access and benefits:

    • Advertise in the Marketplace section for free.
    • Get more visibility with a signature link.
    • Company/website listings.
    • Ask & answer queries.
    • Much more...

    Register here or log in if you're already a member.

  • πŸŽ‰ WHV has crossed 56000 (56k) monthly views (unique) and 285135 clicks per month, as per Google Analytics! Thank you for your support! πŸŽ‰

Twonky Server Vulnerabilities Allow Hackers to Bypass Login Security

johny899

New Member
Content Writer
Messages
859
Reaction score
3
Points
23
Balance
$1,053.6USD
Hi everyone! Are you aware of the Twonky Server security issues? If you happen to use this media server, you should pay attention. Rapid7 security researchers discovered two serious vulnerabilities in Twonky Server version 8.5.2 that would allow a hacker to log in without a password. The problem is, the company is not going to fix these flaws.

The Flaws​

The first vulnerability is an API access-control bypass (CVE-2025-13315). A hacker could simply send a request via /nmc/rpc/log_getfile without logging in, and the server will return the encrypted administrator passwords.

The second vulnerability is hardcoded encryption keys (CVE-2025-13316). Twonky uses Blowfish to protect the passwords, but the keys are in the software. The hardcoded keys can make decrypting the password easy for hackers.

These two vulnerabilities combined would allow a hacker to gain complete control of the server, allowing them to view media files, change settings, shut down the server, or attack other devices on the network.

Who is Vulnerable?​

Twonky Server is run on NAS devices along with routers and other embedded devices, so the risk is not limited to personal users. Small businesses are also at risk as well. Researchers found roughly 850 Twonky Servers exposed online. The likelihood the owner of Twonky Server does not know they are in a vulnerable situation is high.

Why It’s Dangerous​

The troubling news is that the vendor is not going to be fixing any of these bugs, meaning that it is the users who are left to defend themselves. Hackers don't need any special tools, just the basic knowledge of how to make requests and decrypt passwords.

How to Stay Safe​

If you're running Twonky Server 8.5.2, just assume that your admin passwords could be compromised. Here's what you do:
  • Allow only trusted IP addresses to access the server.
  • If you can, take it off the Internet.
  • Put it behind a firewall.
  • Consider switching to another media server, so you at least have a chance of getting security updates.
  • Monitor your network for odd login attempts.

My Thoughts​

This is just another example of why running old, unsupported online software can be risky. A fun media server can easily cause a significant security vulnerability. If I was using Twonky, either you shut it down completely, or move to something you feel is more secure.
 
You must log in or register to reply here.
Menu
Log in
Register