cbcvebase.
CVE-2025-64113
published 2025-12-09

CVE-2025-64113: Emby Server is a user-installable home media server. Versions below 4.9.1.81 allow an attacker to gain full administrative access to an Emby Server (for Emby…

PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.60%
44.3th percentile
Emby Server is a user-installable home media server. Versions below 4.9.1.81 allow an attacker to gain full administrative access to an Emby Server (for Emby Server administration, not at the OS level). Other than network access, no specific preconditions need to be fulfilled for a server to be vulnerable. This issue is fixed in version 4.9.1.81.

Affected

3 ranges
VendorProductVersion rangeFixed in
embyemby< 4.9.1.904.9.1.90
embyemby
embysupportsecurity< 4.9.1.814.9.1.81

Detection & IOCsextracted from sources · hover to see the quote

  • Target systems running Emby Server versions below 4.9.1.81 are vulnerable to unauthenticated full administrative access takeover; detect exploitation attempts by monitoring for unauthorized admin-level API calls or session creation on Emby Server instances
  • ·No authentication or special preconditions are required to exploit this vulnerability — any Emby Server instance below version 4.9.1.81 that is network-accessible is at risk, including those exposed to the internet or internal networks.
  • ·The affected NuGet package is MediaBrowser.Server.Core and the affected Homebrew package is emby; both remain unpatched in Homebrew as of the source date.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa9.3CRITICAL
osv9.3CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.