A critical vulnerability has been discovered in Emby Server that allows unauthenticated attackers to gain full administrative access to affected systems.
Tracked as CVE-2025-64113 with a severity score of 9.3 out of 10 (CVSS v4), this weakness affects both stable and beta versions of the popular media server software.
The vulnerability stems from a weak password recovery mechanism (CWE-640) in Emby Server’s authentication system.
Attackers can exploit this flaw via the ForgotPassword API without any special privileges or user interaction. The attack is straightforward to execute and requires only network access to a vulnerable Emby Server instance.
Once exploited, an attacker gains complete administrative control over the server, allowing them to modify settings, access stored data, and potentially compromise the entire media library.
| Attribute | Details |
|---|---|
| CVE ID | CVE-2025-64113 |
| Severity | Critical (9.3/10 CVSS v4) |
| Affected Product | Emby Server (Stable & Beta) |
| Impact | Confidentiality, Integrity, Availability (All High) |
| Weakness Classification | CWE-640: Weak Password Recovery Mechanism |
The vulnerability impacts all users running Emby Server versions up to 4.9.1.80 (stable release) and 4.9.2.6 (beta release).
The critical nature of this flaw means that any exposed Emby Server instance on a network is immediately at risk.
Emby developers have released patches addressing this vulnerability. Users should update to version 4.9.1.90 for stable releases or version 4.9.2.7 for beta releases.
Additionally, a quick fix will be automatically distributed via the default Emby Server plugins.
Enabling rapid deployment across the user base without requiring manual updates. According to the advisory, all Emby Server owners are strongly encouraged to apply the available patches immediately.
Until updates are installed, administrators can implement a temporary workaround by setting restricted file system permissions on the passwordreset.txt file located in the Emby Server configuration folder.
On Windows systems, deny permissions for “Authenticated users,” while on Linux systems, use chmod 444 passwordreset.txt to restrict access.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
