CVE-2025-64113
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-09

Last updated on: 2026-02-24

Assigner: GitHub, Inc.

Description
Emby Server is a user-installable home media server. Versions below 4.9.1.81 allow an attacker to gain full administrative access to an Emby Server (for Emby Server administration, not at the OS level). Other than network access, no specific preconditions need to be fulfilled for a server to be vulnerable. This issue is fixed in version 4.9.1.81.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-09
Last Modified
2026-02-24
Generated
2026-06-16
AI Q&A
2025-12-09
EPSS Evaluated
2026-06-15
NVD
CVE-2025-64113
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
emby emby to 4.9.1.90 (exc)
emby emby 4.9.2.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-640 The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Emby Server versions below 4.9.1.81 allows an attacker with network access to gain full administrative access to the Emby Server application itself, meaning they can control the server's administration features. No other specific preconditions are required for exploitation. This does not grant access to the underlying operating system, only the Emby Server administration.

Impact Analysis

If exploited, this vulnerability allows an attacker to take full control over the Emby Server administration, potentially enabling them to manipulate media content, change server settings, access user data stored within the server, or disrupt service. This could lead to unauthorized data access or service interruption within the media server environment.

Mitigation Strategies

Upgrade Emby Server to version 4.9.1.81 or later, as this version contains the fix for the vulnerability allowing full administrative access. Ensure that your Emby Server is not accessible to untrusted networks until the update is applied.

Compliance Impact

The vulnerability allows an attacker to gain full administrative access to the Emby Server application, impacting confidentiality, integrity, and availability at a high level. Such a compromise could lead to unauthorized access to sensitive personal or protected data managed by the server, potentially resulting in non-compliance with standards and regulations like GDPR and HIPAA that require protection of data confidentiality and integrity. Therefore, this vulnerability poses a significant risk to compliance with these regulations if exploited. [1]

Detection Guidance

This vulnerability can be detected by identifying Emby Server versions up to 4.9.1.80 (stable) and 4.9.2.6 (beta) running on your system, as these versions are vulnerable. Since the vulnerability involves the passwordreset.txt file in the configuration folder, checking for the presence and permissions of this file may help. However, no specific detection commands are provided in the available resources. The recommended action is to verify the Emby Server version and update to version 4.9.1.90 (stable) or later, or 4.9.2.7 (beta) or later, which include the fix. For version detection, you might use commands like querying the Emby Server API or checking the installed package version, but these commands are not specified in the provided text. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64113. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart