Ddos 
A critical security warning has been issued for users of Twonky Server, the popular media server software found on countless NAS devices and routers. In a concerning development, researchers at Rapid7 have identified two severe vulnerabilities that allow hackers to bypass authentication and seize control of the server—and the vendor has reportedly ceased communication without releasing a fix.
The flaws, discovered by Rapid7 researcher Ryan Emmons, affect Twonky Server version 8.5.2, which remains the latest available version.
The “Zero-Day” Double Threat
The attack chain relies on two distinct vulnerabilities (CVE-2025-13315 and CVE-2025-13316) that, when combined, offer attackers the keys to the kingdom.
1. The Leak (CVE-2025-13315)
The first flaw, rated Critical (CVSS 9.3), is an improper API access vulnerability. While previous patches attempted to lock down the /rpc web API, researchers found a workaround. By using the prefix /nmc/rpc, attackers can bypass authentication checks entirely.
As stated in the report, “An unauthenticated remote attacker can bypass web service API authentication controls to leak a log file and read the administrator’s username and encrypted password“.
2. The Decryption (CVE-2025-13316)
Once the attacker has the encrypted password from the leaked log, the second flaw comes into play. The software relies on static, hardcoded keys to encrypt administrator credentials. Since these keys are identical across installations, they are trivial for an attacker to exploit.
The report explains the severity: “An attacker with an encrypted administrator password value can decrypt it into plain text using these hardcoded keys“.
The Result: Complete compromise. “Exploitation results in the unauthenticated attacker gaining plain text administrator credentials, full administrator access to the Twonky Server instance, and control of all stored media files”.
Vendor Ghosting: “A Patch Wouldn’t Be Possible”
Perhaps more alarming than the vulnerabilities themselves is the vendor’s response. Rapid7 followed standard disclosure protocols, reporting the issues to Lynx Technology. However, after confirming receipt, the vendor reportedly stopped responding.
The report outlines the breakdown in communication: “They stated that a patch wouldn’t be possible, even with a disclosure timeline extension, and subsequent follow-up attempts on our part were unsuccessful”.
This leaves the estimated 850 Twonky Server services currently exposed to the public internet—along with countless others on internal networks—without an official fix.
User Action Required: Isolate Immediately
With no patch forthcoming, Twonky Server users must take matters into their own hands to secure their networks. The primary recommendation is network segmentation.
“In lieu of any patches or mitigation guidance from the vendor, affected organizations and individuals are advised to restrict Twonky Server traffic to only trusted IPs”.
Furthermore, due to the nature of the exploit, Rapid7 advises that “any administrator credentials configured in Twonky Server should be assumed to be compromised“.
Donate