diff --git a/src/pentesting-web/web-vulnerabilities-methodology.md b/src/pentesting-web/web-vulnerabilities-methodology.md
index 4325bfcabbd..428a75003a8 100644
--- a/src/pentesting-web/web-vulnerabilities-methodology.md
+++ b/src/pentesting-web/web-vulnerabilities-methodology.md
@@ -93,6 +93,55 @@ There are several specific functionalities where some workarounds might be usefu
 - [ ] [**Reset Forgotten Password Bypass**](reset-password.md)
 - [ ] [**Registration Vulnerabilities**](registration-vulnerabilities.md)
 
+#### Routing/path-prefix authentication bypass
+
+Many embedded web servers register multiple URI prefixes that resolve to the same RPC handlers, yet only enforce authentication on the documented path. When an undocumented prefix skips the auth middleware, every privileged handler hanging from it becomes reachable anonymously.
+
+**Example – Twonky Server 8.5.2 (CVE-2025-13315).** Twonky added access checks to `/rpc/*` after earlier disclosures, but the binary still routes the same handlers through `/nmc/rpc/*` without any credential checks. A single unauthenticated request leaks the full application logs:
+
+```http
+GET /nmc/rpc/log_getfile HTTP/1.1
+Host: target.example
+```
+
+The alternate prefix also exposes operational endpoints such as `/nmc/rpc/stop`, `/nmc/rpc/stream_active`, `/nmc/rpc/byebye`, and `/nmc/rpc/wakeup`, letting an attacker shut the service down or query its status without authentication.
+
+**Attack workflow.**
+
+1. Fingerprint the target (e.g., Twonky replies with `Server: Twonky` headers and discloses its build in `/rpc/info_status`).
+2. Issue an unauthenticated request to the hidden prefix (`/nmc/rpc/log_getfile`) to download startup logs that contain the configured `accessuser` and the encrypted `accesspwd` string.
+3. Reuse the same prefix against other RPC handlers to invoke privileged actions or pivot to credential recovery.
+
+#### Reversible "encrypted" credentials protected by static symmetric keys
+
+Password “encryption” that relies on globally hardcoded keys is equivalent to cleartext storage. Twonky’s `enc_passwd` routine selects one of 12 Blowfish keys, encrypts the administrator password, and persists/logs it as `||{HEX_INDEX}{HEX_CIPHERTEXT}`. Any attacker that obtains that string (e.g., through the log leak above) can deterministically decrypt it because the key list is embedded in every binary.
+
+**Static Blowfish key table (Twonky 8.5.2).**
+
+| Index (hex) | Key |
+| --- | --- |
+| 0 | `E8ctd4jZwMbaV587` |
+| 1 | `TGFWfWuW3cw28trN` |
+| 2 | `pgqYY2g9atVpTzjY` |
+| 3 | `KX7q4gmQvWtA8878` |
+| 4 | `VJjh7ujyT8R5bR39` |
+| 5 | `ZMWkaLp9bKyV6tXv` |
+| 6 | `KMLvvq6my7uKkpxf` |
+| 7 | `jwEkNvuwYCjsDzf5` |
+| 8 | `FukE5DhdsbCjuKay` |
+| 9 | `SpKNj6qYQGjuGMdd` |
+| A | `qLyXuAHPTF2cPGWj` |
+| B | `rKz7NBhM3vYg85mg` |
+
+**Decryption workflow (CVE-2025-13316).**
+
+1. Strip the leading `||` and parse the first hex digit to obtain the key index (e.g., `||7...` → index `7`).
+2. Load the corresponding Blowfish key from the static table above.
+3. Hex-decode the remaining ciphertext and run Blowfish/ECB decryption to recover the administrator password. Rapid7’s Metasploit module `auxiliary/gather/twonky_authbypass_logleak` automates this flow.
+4. Authenticate to the web UI or the documented `/rpc/*` endpoints using the recovered credentials for full administrative control.
+
+Because the keys never change across installations, every leak of the `||{HEX_INDEX}{HEX_CIPHERTEXT}` blob (logs, backups, HTTP responses, support bundles, etc.) immediately hands attackers reusable administrative credentials across deployments.
+
 ### **Structured objects / Specific functionalities**
 
 Some functionalities will require the **data to be structured in a very specific format** (like a language serialized object or XML). Therefore, it's easier to identify if the application might be vulnerable as it needs to be processing that kind of data.\
@@ -131,5 +180,8 @@ These vulnerabilities might help to exploit other vulnerabilities.
 - [ ] [**Parameter Pollution**](parameter-pollution.md)
 - [ ] [**Unicode Normalization vulnerability**](unicode-injection/index.html)
 
+## References
+
+- [Rapid7 - CVE-2025-13315, CVE-2025-13316: Twonky Server authentication bypass](https://www.rapid7.com/blog/post/cve-2025-13315-cve-2025-13316-critical-twonky-server-authentication-bypass-not-fixed)
 
 {{#include ../banners/hacktricks-training.md}}