Emby Server vulnerability allows unauthenticated administrative access

Emby Server has patched a critical security vulnerability that allows unauthenticated attackers to gain full administrative access to the media server platform. 

The flaw is tracked as CVE-2025-64113 (CVSS score 9.3), is caused by a weak password recovery mechanism in Emby Server's authentication system. The vulnerability allows attackers to exploit the ForgotPassword API to gain complete administrative control over affected Emby Server instances. 

Affected versions of Emby Server include all stable versions up to and including 4.9.1.80, as well as beta versions up to 4.9.2.6. Both the Community and Enterprise deployments are affected by this vulnerability. Any server running these versions and accessible over a network is immediately vulnerable to attack,.

Users running stable versions should update to version 4.9.1.81 or later. Beta users should upgrade to version 4.9.2.7 or later. Emby has also implemented an automatic fix distributed through the default-included Emby Server plugins. All Emby Server admins are strongly encouraged to apply these updates immediately.

As a mitigation measure for users who cannot upgrade immediately, administrators can set restricted file system permissions on the passwordreset.txt file located in the Emby Server configuration folder. If the file does not exist, users can create it manually or trigger its creation by calling the ForgotPassword API once. 

On Windows systems, administrators should set DENY permissions for "Authenticated users". On Linux systems, permissions can be restricted using the command sudo chmod 444 passwordreset.txt. These workarounds will cause the vulnerable API request to fail, eliminating the attack vector.