A important vulnerability has been found in Emby Server that permits unauthenticated attackers to realize full administrative entry to affected methods.
Tracked as CVE-2025-64113 with a severity rating of 9.3 out of 10 (CVSS v4), this weak spot impacts each secure and beta variations of the favored media server software program.
The vulnerability stems from a weak password restoration mechanism (CWE-640) in Emby Server’s authentication system.
Attackers can exploit this flaw through the ForgotPassword API with none particular privileges or person interplay. The assault is easy to execute and requires solely community entry to a susceptible Emby Server occasion.
As soon as exploited, an attacker good points full administrative management over the server, permitting them to switch settings, entry saved knowledge, and doubtlessly compromise your entire media library.
AttributeDetailsCVE IDCVE-2025-64113SeverityCritical (9.3/10 CVSS v4)Affected ProductEmby Server (Secure & Beta)ImpactConfidentiality, Integrity, Availability (All Excessive)Weak point ClassificationCWE-640: Weak Password Restoration Mechanism
The vulnerability impacts all customers operating Emby Server variations as much as 4.9.1.80 (secure launch) and 4.9.2.6 (beta launch).
The important nature of this flaw implies that any uncovered Emby Server occasion on a community is straight away in danger.
Emby builders have launched patches addressing this vulnerability. Customers ought to replace to model 4.9.1.90 for secure releases or model 4.9.2.7 for beta releases.
Moreover, a fast repair will probably be robotically distributed through the default Emby Server plugins.
Enabling speedy deployment throughout the person base with out requiring handbook updates. In accordance with the advisory, all Emby Server house owners are strongly inspired to use the out there patches instantly.
Till updates are put in, directors can implement a brief workaround by setting restricted file system permissions on the passwordreset.txt file positioned within the Emby Server configuration folder.
On Home windows methods, deny permissions for “Authenticated customers,” whereas on Linux methods, use chmod 444 passwordreset.txt to limit entry.
Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.
