CVE-2025-64113
published 2025-12-09CVE-2025-64113: Emby Server is a user-installable home media server. Versions below 4.9.1.81 allow an attacker to gain full administrative access to an Emby Server (for Emby…
PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.60%
44.3th percentile
Emby Server is a user-installable home media server. Versions below 4.9.1.81 allow an attacker to gain full administrative access to an Emby Server (for Emby Server administration, not at the OS level). Other than network access, no specific preconditions need to be fulfilled for a server to be vulnerable. This issue is fixed in version 4.9.1.81.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| emby | emby | < 4.9.1.90 | 4.9.1.90 |
| emby | emby | — | — |
| embysupport | security | < 4.9.1.81 | 4.9.1.81 |
Detection & IOCsextracted from sources · hover to see the quote
- →Target systems running Emby Server versions below 4.9.1.81 are vulnerable to unauthenticated full administrative access takeover; detect exploitation attempts by monitoring for unauthorized admin-level API calls or session creation on Emby Server instances ↗
- ·No authentication or special preconditions are required to exploit this vulnerability — any Emby Server instance below version 4.9.1.81 that is network-accessible is at risk, including those exposed to the internet or internal networks. ↗
- ·The affected NuGet package is MediaBrowser.Server.Core and the affected Homebrew package is emby; both remain unpatched in Homebrew as of the source date. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa9.3CRITICAL
osv9.3CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Withdrawn Advisory: Emby Server API Vulnerability allowing to gain administrative access without precondition
osv·2025-12-08·CVSS 9.3
CVE-2025-64113 [CRITICAL] Withdrawn Advisory: Emby Server API Vulnerability allowing to gain administrative access without precondition
Withdrawn Advisory: Emby Server API Vulnerability allowing to gain administrative access without precondition
### Withdrawn Advisory
This advisory has been withdrawn because it incorrectly listed [MediaBrowser.Server.Core](https://www.nuget.org/packages/MediaBrowser.Server.Core) as vulnerable. CVE-2025-64113 affects Emby Server versions 4.9.1.80 and prior, and Emby Server Beta versions 4.9.2.6 and prior.
### Original Description
### Impact
This vulnerability affects all Emby Server versions - beta and stable up to the specified versions.
It allows an attacker to gain full administrative access to an Emby Server (for Emby Server administration, **not at the OS level**,).
Other than network access, no specific preconditions need to be fulfilled for a server to be vulnerable.
### Patches
GHSA
Withdrawn Advisory: Emby Server API Vulnerability allowing to gain administrative access without precondition
ghsa·2025-12-08·CVSS 9.3
CVE-2025-64113 [CRITICAL] CWE-640 Withdrawn Advisory: Emby Server API Vulnerability allowing to gain administrative access without precondition
Withdrawn Advisory: Emby Server API Vulnerability allowing to gain administrative access without precondition
### Withdrawn Advisory
This advisory has been withdrawn because it incorrectly listed [MediaBrowser.Server.Core](https://www.nuget.org/packages/MediaBrowser.Server.Core) as vulnerable. CVE-2025-64113 affects Emby Server versions 4.9.1.80 and prior, and Emby Server Beta versions 4.9.2.6 and prior.
### Original Description
### Impact
This vulnerability affects all Emby Server versions - beta and stable up to the specified versions.
It allows an attacker to gain full administrative access to an Emby Server (for Emby Server administration, **not at the OS level**,).
Other than network access, no specific preconditions need to be fulfilled for a server to be vulnerable.
### Patches
No detection rules found.
No public exploits indexed.
2025-12-09
Published