CVE-2025-64113 CRITICAL

CVE-2025-64113: Emby Server allows attackers to gain administrative server access without preconditions

Vendor Embysupport

Product security

Weakness CWE-640 · Weak password recovery

Published December 9, 2025

Last update December 9, 2025

View on NVD All CVEs

CVSS base score

9.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

What the vulnerability does

01Description

Emby Server is a user-installable home media server. Versions below 4.9.1.81 allow an attacker to gain full administrative access to an Emby Server (for Emby Server administration, not at the OS level). Other than network access, no specific preconditions need to be fulfilled for a server to be vulnerable. This issue is fixed in version 4.9.1.81.

Key dates

02Disclosure timeline

December 9, 2025 CVE published

December 9, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-64113 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/640.html

Related vulnerabilities

CVE-2025-64113: Emby Server allows attackers to gain administrative server access without preconditions

01Description

02Disclosure timeline

03References

04Related CVE