Emby, a media server software specialist, has reported that a number of its users’ servers were hacked due to a well-known vulnerability and unsafe configuration of an administrative account. The company discovered a malicious plugin and remotely stopped the work of the affected servers for security purposes. The exact number of servers affected was not disclosed, but it is known that the attacks began this month and were aimed at private servers over the internet. The hackers penetrated servers that allowed non-administrator access from the local network using the “vulnerability of the proxy title,” which allowed them to enter without a password.
The attackers installed harmful plugins on the hacked servers, designed to collect the accounts of any users connecting to the compromised servers. The Emby team was able to release an update for Emby servers to detect and prevent the loading of the malicious plugin. Emby recommends that administrators delete the malicious files, block network access to the attacker’s server, and check affected servers for recent changes.
The company strongly recommends changing all passwords and installing the Emby Server update 4.7.12 as soon as it becomes available. Emby’s precautionary measures mitigated the escalation of the situation with the attention of administrators. The vulnerability has been known since February 2020 and was recently fixed in the beta channel of the Emby software.