cbcvebase.
CVE-2023-33193
published 2023-05-30

CVE-2023-33193: Emby Server is a user-installable home media server which stores and organizes a user's media files of virtually any format and makes them available for…

PriorityP180critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.71%
74.5th percentile
Emby Server is a user-installable home media server which stores and organizes a user's media files of virtually any format and makes them available for viewing at home and abroad on a broad range of client devices. This vulnerability may allow administrative access to an Emby Server system, depending on certain user account settings. By spoofing certain headers which are intended for interoperation with reverse proxy servers, it may be possible to affect the local/non-local network determination to allow logging in without password or to view a list of user accounts which may have no password configured. Impacted are all Emby Server system which are publicly accessible and where the administrator hasn't tightened the account login configuration for administrative users. This issue has been patched in Emby Server Beta version 4.8.31 and Emby Server version 4.7.12.

Affected

4 ranges
VendorProductVersion rangeFixed in
embyemby.releases< 4.7.0.124.7.0.12
embyemby.releases>= 4.8.0.0 < 4.8.314.8.31
embysupportsecurity< 4.7.124.7.12
embysupportsecurity

Detection & IOCsextracted from sources · hover to see the quote

urlGET /emby/users/public HTTP/1.1
path/emby/users/public
  • Detect exploitation attempts by monitoring HTTP requests to /emby/users/public with a spoofed X-Forwarded-For: 127.0.0.1 header, which tricks the server into treating the request as local/trusted.
  • A successful exploit response to /emby/users/public returns HTTP 200 with application/json content-type and a body containing the fields 'Name', 'ServerId', 'HasPassword', and 'Configuration' — indicating unauthenticated enumeration of user accounts.
  • Use the Shodan query 'product:"Emby Media Server"' to identify publicly exposed Emby Server instances potentially vulnerable to this authentication bypass.
  • ·This vulnerability only impacts Emby Server instances that are publicly accessible AND where the administrator has not tightened account login configuration for administrative users (e.g., accounts with no password set).
  • ·The bypass is conditional on certain user account settings — specifically accounts configured without a password, making the impact dependent on the target server's user configuration.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vulncheck9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.