GPUバックドア：CVE-2025-64113（Emby Server）のフォレンジック分析とエッジAIセキュリティの崩壊

In the hyper-accelerated AI landscape of early 2026, security engineering has largely bifurcated. On one side, teams are fortifying Enterprise RAG pipelines against prompt injection. On the other, they are locking down cloud VPCs. But a massive blind spot remains in the “Shadow Infrastructure”: the Edge Nodes and Home Labs where prototype models are born.

を開示した。 CVE-2025-64113 (CVSSスコア 9.8, Critical) exposes a catastrophic vulnerability in Emby Server, a popular media hosting solution. While Emby is consumer software, its deployment footprint overlaps heavily with the “Local LLM” community. Engineers frequently run Emby alongside オーラマ, ブイエルエルエムあるいは Stable Diffusion workloads on high-spec bare-metal servers (equipped with RTX 4090s or A6000s) to maximize hardware utilization.

For the AI security engineer, CVE-2025-64113 is not a media server bug; it is a password-less root bridge to your GPU compute cluster. This article abandons the consumer-tech narrative to analyze the vulnerability as a critical infrastructure threat, detailing the C# logic failure, the escalation to Remote Code Execution (RCE), and how to defend your silicon.

Vulnerability Intelligence Card

Technical Deep Dive: The Logic of the “Skeleton Key”

Emby Server is built on the .NET (C#) stack. The vulnerability stems from a fundamental failure in the “Password Reset Provider” logic, specifically regarding how the server validates physical file system tokens against API requests.

1. The Architectural Flaw

Emby’s password reset mechanism relies on a “Proof of Access” model.

• Intended Workflow: A user requests a reset. The server writes a file named passwordreset.txt to the configuration directory. The user must theoretically read this file (implying they have SSH/RDP access) to proceed.
• 脆弱性： The API endpoint handling the 確認 of the reset (/Users/ForgotPassword/Pin) fails to strictly enforce that the user knows the content of the file or that the session initiating the request matches the session finalizing it.

In vulnerable versions, the presence of the file acts as a global boolean flag: IsResetMode = True. Any unauthenticated user hitting the API during this window (or triggering the window themselves) can seize the admin account.

2. Forensic Code Reconstruction (Hypothetical C#)

Based on the patch diffs and behavior, we can reconstruct the vulnerable logic flow in the ConnectService または UserService.

C#

`// VULNERABLE LOGIC PATTERN public async Task<object> Post(ForgotPassword request) { var configPath = _appPaths.ConfigurationDirectoryPath; var tokenPath = Path.Combine(configPath, “passwordreset.txt”);

// FATAL FLAW: The code checks IF the file exists, 
// but implies trust without validating a secure token payload inside the request.
if (_fileSystem.FileExists(tokenPath))
{
    var user = _userManager.GetUserByName(request.UserName);
    
    // The attacker provides a new password, and because the file exists, 
    // the server allows the overwrite.
    await _userManager.ChangePassword(user, request.NewPassword);
    
    // Cleanup
    _fileSystem.DeleteFile(tokenPath);
    
    return new { Success = true };
}

throw new ResourceNotFoundException("Reset token not found on disk.");

}`

This is a classic Time-of-Check to Time-of-Use (TOCTOU) logic error combined with insufficient authentication depth.

3. The Exploit Kill Chain

1. トリガー： Attacker sends POST /Users/ForgotPassword with the target username (e.g., “admin”). Emby creates passwordreset.txt.
2. Race/Bypass: The attacker immediately sends the confirmation request with a new password. Because the file exists on disk, the condition FileExists returns true.
3. Takeover: The server updates the Admin password. The attacker logs in.
4. Escalation (RCE):
   • Plugin Install: Emby allows admins to install plugins (DLLs).
   • FFmpeg Hooks: Admins can define custom pre/post-processing scripts for media transcoding.
   • 結果 The attacker executes a reverse shell command via the Emby process (often running as Root in Docker or SYSTEM in Windows).

The Threat to AI Infrastructure: Why Context Matters

Security engineers often triage media servers as “Low Priority.” In the context of AI development, this is a fatal mistake.

1. The “Co-Located” Attack Vector

AI engineers typically build “All-in-One” heavy compute servers. A single Ubuntu box with dual RTX 4090s often hosts:

• Port 11434: Ollama (LLM Inference)
• Port 6333: Qdrant (Vector DB)
• Port 8888: JupyterLab
• Port 8096: Emby (Media/Personal Use)

Because these services run on the same kernel and share the same filesystem mounts (e.g., /mnt/data), compromising Emby via CVE-2025-64113 allows the attacker to pivot locally (ローカルホスト).

2. Exfiltration of High-Value Assets

Once inside the Emby container/process, the attacker can leverage volume mounts to access:

• Model Weights: Proprietary LoRA adapters or fine-tuned .safetensors files worth thousands of compute hours.
• RAG Datasets: Unencrypted vector stores containing private corporate knowledge bases.
• Environment Variables: .env files often shared between docker containers containing OpenAI API keys or HuggingFace tokens.

3. Compute Hijacking (Cryptojacking)

The most immediate impact is often resource denial. Attackers deploy Silent Miners (like XMRig) pinned to specific CUDA cores, siphoning off 30-50% of the GPU capacity. This degrades inference latency for legitimate AI workloads and causes hardware overheating, all while remaining subtle enough to evade basic CPU monitoring.

AIを活用したディフェンス過失の優位性

Detecting CVE-2025-64113 in a distributed, ad-hoc AI environment is challenging. Traditional scanners (Nessus/Qualys) require credentialed scans to see file systems and often miss non-standard ports.

そこで ペンリジェント redefines the offensive security posture.

1. Shadow Asset Discovery (The “Unknown Unknowns”)

Penligent’s AI Agents utilize passive traffic analysis and active probing to identify “Shadow Services.” It detects that a high-value GPU node is exposing port 8096 and fingerprints the service as Emby, automatically correlating it with the critical CVE-2025-64113 intelligence. It contextualizes the risk: “Media Server exposed on Critical AI Node.”

2. Non-Destructive Logic Verification

Instead of attempting to reset the admin password (which would cause a denial of service), Penligent performs a Safe Logic Probe.

• It initiates the handshake to trigger the passwordreset.txt creation mechanism (if safe).
• It analyzes the API response timing and error codes to determine if the bypass vector is active.
• It confirms the vulnerability with near-zero false positives, providing a verified “Critical” alert without disrupting the engineer’s Saturday night movie or their LLM training run.

Remediation and Hardening Handbook

If you manage AI infrastructure that includes Emby, immediate action is mandatory.

1. Patching (The Only Fix)

Upgrade to Emby Server 4.9.1.81 immediately. This version fundamentally rewrites the password reset logic to require a token that cannot be guessed via API interaction.

2. Filesystem Immutable Lock (The “Kill Switch”)

If you cannot patch immediately (e.g., due to dependency freezes), you can neuter the exploit by preventing the creation of the reset token.

For Linux (Docker/Bare Metal):

バッシュ

`# Navigate to the Emby configuration directory cd /var/lib/emby/config

Create a dummy file

touch passwordreset.txt

Make it immutable (even root cannot write/delete it)

sudo chattr +i passwordreset.txt`

Effect: The attacker’s API request to ForgotPassword will fail because the server cannot write to the file, breaking the logic chain.

For Windows:

Right-click the config folder -> Properties -> Security -> Advanced. Add a “Deny Write” rule for the user account running the Emby service.

3. Network Segmentation (Zero Trust)

• Isolate Management Ports: Never expose port 8096/8920 to the public internet.
• Use Tunnels: Access services via Tailscale, Cloudflare Tunnel, or a VPN.
• Container Isolation: Ensure the Emby Docker container does not run as -privileged and only mounts the specific media directories it needs (Read-Only where possible), not the entire /mnt/ root.

結論

CVE-2025-64113 is a reminder that the attack surface of an AI system extends far beyond the model itself. In the era of converged infrastructure, a vulnerability in a recreational media application can compromise the most advanced artificial intelligence workloads.

Security engineering is about protecting the entire stack. By applying rigorous patching, network segmentation, and utilizing AI-driven asset discovery tools like Penligent, organizations can close these backdoors before they result in a catastrophic loss of compute or intellectual property.

信頼できるリファレンス

• Wiz.io Vulnerability Database: CVE-2025-64113 Impact & Mitigation
• NIST NVD Detail for CVE-2025-64113
• GitHub Advisory Database: GHSA-95fv-5gfj-2r84
• Tenable Vulnerability Alert: CVE-2025-64113