Emby shuts down user media servers hacked in recent attack


Image: Bing Image Creator

Emby says it remotely shut down an undisclosed number of user-hosted media server instances that were recently hacked by exploiting a previously known vulnerability and an insecure admin account configuration.

“We have detected a malicious plugin on your system which has probably been installed without your knowledge. [..] For your safety we have shutdown your Emby Server as a precautionary measure,” the company informed users of affected servers in new entries added to the log files.

The attacks began in mid-May 2023 when the attackers started targeting Internet-exposed private Emby servers and infiltrating those configured to allow admin logins without a password on the local network.

To trick the servers into granting them access and gain admin servers to the vulnerable servers even though they were attempting to log in from outside the LAN, the threat actors exploited a flaw described by Emby as a “proxy header vulnerability,” known since at least February 2020 and recently patched in the beta channel.

The hackers used their access to backdoor the compromised Emby instances by installing a malicious plugin that harvests the credentials of all users signing into the hacked servers.

“After careful analysis and evaluation of possible strategies for mitigation, the Emby team was able to push out an update to Emby Server instances which is able to detect the plugin in question and prevents it from being loaded,” Emby said.

“Due to the severity and the nature of this situation and in an abundance of caution we are preventing affected servers to start up again after the detection.”

As Emby further explained, shutting down the affected servers was a precautionary measure aiming to disable the malicious plugin, as well as to mitigate the immediate escalation of the situation and draw the admins’ attention to address the issue directly.

Admins warned to check for additional suspicious activity

Emby admins are advised to immediately delete the malicious helper.dll or EmbyHelper.dll files from the plugins folder in the Emby Server Data Folder and from the cache and data subfolders before starting their servers again.

They should also block the malware’s access to the attackers’ server by adding a new “” line in their hosts file.

Compromised servers should also be reviewed for any recent changes, including:

  • Suspicious user accounts
  • Unknown processes
  • Unknown network connections and open ports
  • SSH configuration
  • Firewall rules
  • Change all passwords

Emby plans to release an Emby Server 4.7.12 security update as soon as possible to address the issue.

While Emby didn’t reveal how many servers were impacted in the attack, Emby developer softworkz added a new community post yesterday titled “How we took down a BotNet of 1200 hacked Emby Servers within 60 seconds.”

However, the post only asks users to “watch out for the full story coming shortly.”


  • jkr4m3r Photo jkr4m3r – 4 days ago


    Should say EmbyHelper.dll

  • serghei Photo serghei – 4 days ago

    Thanks, fixed!

  • Malwarebytes Anti-Malware Logo

    Malwarebytes Anti-Malware

    Version: 4.5.29 5M+ Downloads

  • McAfee Consumer Products Removal tool Logo

    McAfee Consumer Products Removal tool

    Version: NA 432,232 Downloads

  • AdwCleaner Logo


    Version: 56M+ Downloads

  • Windows Repair (All In One) Logo

    Windows Repair (All In One)

    Version: 4.13.1 2M+ Downloads

  • Everything Desktop Search Logo

    Everything Desktop Search

    Version: 23,002 Downloads


Related posts

Ransomware gang steals data from KFC, Taco Bell, and Pizza Hut brand owner

Sarah Henriquez

NortonLifeLock warns that hackers breached Password Manager accounts

Sarah Henriquez

Hackers trojanize PuTTY SSH client to backdoor media company

Sarah Henriquez

Leave a Comment