Software company Emby has remotely shut down some user-based media server instances after a threat actor exploited a known vulnerability to hijack systems.
“You encounter the following message in the Emby Server log: We have detected a malicious plugin on your system which has probably been installed without your knowledge. For your safety we have shutdown your Emby Server as a precautionary measure Note: Your server was never directly accessed by us. We used our standard update mechanism,” the company said in an advisory.
Emby further explained that the attacks have been going on since mid-May 2023, with the attacker breaching internet-facing user-hosted Emby servers with an insecure configuration for administrative user accounts. The attacker used a recently fixed flaw described as the “Proxy Header Vulnerability” to install a malicious plugin designed to steal login credentials.
The Emby team developed a firmware update to scan for the malicious plugin and shut down systems where it was found.
“As the given situation requires direct action and assessment by the administrator, we determined that shutting down the server and preventing further startup up is the most suitable action as it disables the plug-in, possibly prevents the situation from getting worse and at the same time draws the attention of the administrator onto the subject,” the company said.
