rainbowsea02 0 Posted October 29, 2025 Posted October 29, 2025 (edited) Hey everyone, I wanted to raise awareness about a serious security issue that’s currently affecting Emby Server users. It looks like there’s a remote access vulnerability being actively exploited — attackers are reportedly gaining access to servers and deleting all media files, including those on local and network drives. In the past few days, several users (myself included) have seen unauthorized access to our servers. There’s no sign of local network breaches or credential leaks, so this might be a remote code execution vulnerability. Until there’s an official response, I’d recommend: Disabling remote access to your Emby Server. Backing up your libraries if possible. Monitoring any unusual activity or log entries. @EmbyTeam — please investigate this as soon as possible and share any updates or mitigation advice. Let’s keep each other posted here if anyone finds more details or temporary fixes. Stay safe, everyone. – A Concerned Emby User Edited October 29, 2025 by softworkz
Abobader 3464 Posted October 29, 2025 Posted October 29, 2025 Hello rainbowsea02, ** This is an auto reply ** Please wait for someone from staff support or our members to reply to you. It's recommended to provide more info, as it explain in this thread: Thank you. Emby Team
AndreiP 33 Posted October 29, 2025 Posted October 29, 2025 Could you please give more informations about of what exactly happened in your case? Who are the other users who have suffered the same attack?
rainbowsea02 0 Posted October 29, 2025 Author Posted October 29, 2025 3 minutes ago, AndreiP said: Could you please give more informations about of what exactly happened in your case? Who are the other users who have suffered the same attack? Dear Emby Users, Urgent Security Notice – Service Suspension Recently, multiple Emby server administrators have discovered and reported several critical security vulnerabilities in the Emby system, including: ILVN-2025-0235 / CVE-2025-46387 (Critical Severity) An unpublished API privilege escalation vulnerability (pending official ID assignment) These vulnerabilities can be exploited by attackers to bypass authentication or perform brute-force attacks, potentially allowing full server control, data tampering, or even ransomware deployment. According to community reports and incident data, at least 10 Emby servers have already been compromised and subjected to ransom attacks, indicating a serious and ongoing threat.
rainbowsea02 0 Posted October 29, 2025 Author Posted October 29, 2025 I specifically registered this account to report this serious bug.
Luke 42077 Posted October 29, 2025 Posted October 29, 2025 I'm having a hard time finding concrete information such as steps to reproduce, what api's were used, etc. Where is that?
rainbowsea02 0 Posted October 29, 2025 Author Posted October 29, 2025 14 minutes ago, Luke said: I'm having a hard time finding concrete information such as steps to reproduce, what api's were used, etc. Where is that? Here is a post for reference. 【Geek】记一次 EmbyServer 遭入侵后的应急响应过程 - Cane's Blog
softworkz 5066 Posted October 29, 2025 Posted October 29, 2025 (edited) First of all, I see a lot of misinformation. From reading this https://t.me/lily_yaya/788 I get a feeling that somebody might be trying to blow up something as an excuse for one's own mistakes. A lot of information is incorrect here: Especially claims that things would have been reported to us. Then there's a reference to a fake CVE from August with absolutely zero content. Further, it is being said that only versions earlier than 4.9.0.35 are affected. Version 4.9.0.35 is from Dec 31, 2024, so it's almost a year old, and ti was a beta version. 44 minutes ago, rainbowsea02 said: 【Geek】记一次 EmbyServer 遭入侵后的应急响应过程 - Cane's Blog The person is talking about vulneravbilities in Python code. Emby is not developed in Python nor does it ship any Python code. This is about some 3rd party "product" "https://pypi.org/project/python-emby-proxy", which has closed down the GitHub repo... It is unrelated to the claims above. Once again a totally different case is what is shown in the video. This is not a security vulnerability. It cannot be exploited, because it only works when you do it from the same browser. This is nothing that needs any action. To be honest: the situation seems like you would be trying to throw any old, outdated, pointless and individually unrelated stuff at us in order to make it look as if there would exist some big issue on our side. I don't know why you are doing this but I don't really care anway. Please stop this nonsense! Edited October 29, 2025 by softworkz 1
Luke 42077 Posted October 29, 2025 Posted October 29, 2025 44 minutes ago, rainbowsea02 said: Here is a post for reference. 【Geek】记一次 EmbyServer 遭入侵后的应急响应过程 - Cane's Blog The article seems to talk more about "EmbyServer User Management" project. No ?
seanbuff 1315 Posted October 29, 2025 Posted October 29, 2025 1 hour ago, Luke said: The article seems to talk more about "EmbyServer User Management" project. No ? Correct. My thoughts also. This second link provides different info, namely related to latest stable version: https://hicane.com/archives/geek-embyserver-gao-wei-an-quan-lou-dong
zdzzdz 0 Posted October 29, 2025 Posted October 29, 2025 (edited) Hi everyone, I recently came across some information about a newly discovered 0-day vulnerability in EmbyServer, supported by the author's demonstration video and article. I hope the official team can address this promptly. Link 1: 【Geek】EmbyServer High-Risk Security Vulnerability Link 2: Emby Security Vulnerability I discussed this on the forum and have translated the key details into English below for broader understanding. Title: 【Geek】EmbyServer High-Risk Security Vulnerability Author: Cane Date: 2025-10-29 Summary: A severe access control flaw has been discovered in EmbyServer, classified as a high-risk vulnerability. It affects versions up to v4.9.1.80 (the latest as of 2025-10-29). Under default configurations, an attacker can compromise almost any EmbyServer instance without requiring a token or user account. In a clean local environment setup with the official EmbyServer v4.9.1.80, the author demonstrated successful exploitation within 1–3 minutes. Key Points: The vulnerability stems from EmbyServer’s design philosophy, which prioritizes trusted environments (e.g., home networks). Its permission mechanisms are coarse-grained and easily fail in untrusted networks (e.g., public internet). While a previous vulnerability (CVE-2025-46387) was reported in July 2025 for versions ≤ v4.9.0.35, this new 0-day impacts even the latest version. The author has reported the issue to the vendor but notes that no fix has been released yet. Mitigation Recommendations: Immediate Action: Deploy a security gateway (e.g., reverse proxy with strict access policies) to isolate EmbyServer from direct exposure. Refer to the author’s earlier guide: EmbyServer Token Security Maintenance Guidefor temporary safeguards. Avoid exposing EmbyServer directly to the internet. Conclusion: The root cause lies in EmbyServer’s architecture. A fundamental redesign or the use of a security gateway is recommended, as partial fixes may not fully resolve the issue. Note: The video link (Bilibili BV1yFyUBXE38) demonstrates the exploitation process. The author has withheld technical details to prevent misuse. Edited October 29, 2025 by zdzzdz
softworkz 5066 Posted October 29, 2025 Posted October 29, 2025 Okay, let's summarize on these things 1. CVE-2025-46387 This is just a ghost issue. Someone has acquired a number, made a few selections for the required minimal information - and nothing else. There is no content at all - effectively invalid. https://nvd.nist.gov/vuln/detail/CVE-2025-46387 12 minutes ago, zdzzdz said: Link 2: Emby Security Vulnerability 2. Link 2 - Emby Security Vulnerability This video looks like a show to me. Unless details are provided, I cannot take this serious. 3. Link 1 - "High-Risk" Vulnerability Quote Getting back to the main point, after learning that EmbyServer itself might not be secure, I tried to gather and understand the details of the CVE-2025-46387 vulnerability mentioned above to see if the problem still existed in the current version. However, the vendor seems to have been slow to fix the vulnerability, resulting in the related details not being disclosed. Here it's getting even ridiculous: The details have not been disclosed because we haven't fixed it? This can only work the other way round, because without providing any details there's notthing for us to fix. Then, the author claims to know that it hasn't been fixed by us (we would have been slow). But since that CVE is totally blank and empty, there is absolutely no way for this person to know whether it has been fixed or not. Finally @zdzzdz - you are the same person as @rainbowsea02 Probably also the same as "Cane" from the Website and whoever else. You think you are clever? You are not. Your play was easy to figure out. Last warning: Stop this nonsense! 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now