Plex has notified a few of its customers on Thursday to urgently replace their media servers attributable to a not too long ago patched safety vulnerability.
The corporate has but to assign a CVE-ID to trace the flaw and did not present extra particulars concerning the patch, solely saying that it impacts Plex Media Server variations 1.41.7.x to 1.42.0.x.
Yesterday, 4 days after releasing safety updates that addressed the mysterious safety bug, Plex emailed these operating affected variations to replace their software program as quickly as doable.
“We not too long ago obtained a report by way of our bug bounty program that there was a possible safety concern affecting Plex Media Server variations 1.41.7.x to 1.42.0.x. Because of that consumer, we have been capable of handle the difficulty, launch an up to date model of the server, and proceed to enhance our safety and defenses,” the corporate stated within the e mail.
“You are receiving this discover as a result of our data signifies {that a} Plex Media Server owned by your Plex account is operating an older model of the server. We strongly suggest that everybody replace their Plex Media Server to the newest model as quickly as doable, when you have not already finished so.”
Plex Media Server 1.42.1.10060, the model that patches this vulnerability, could be downloaded from the server administration web page or the official downloads web page.
Whereas Plex hasn’t shared any particulars concerning the vulnerability to date, customers are suggested to observe the corporate’s recommendation and patch their software program earlier than risk actors reverse engineer the patches and develop an exploit.
Though Plex has skilled its share of vital and high-severity safety flaws through the years, this is among the few cases the place the corporate has emailed clients about securing their techniques towards a selected vulnerability.
In March 2023, CISA tagged a three-year-old distant code execution (RCE) flaw (CVE-2020-5741) within the Plex Media Server as actively exploited in assaults. As Plex defined two years earlier, when it launched patches, profitable exploitation can permit attackers to make the server execute malicious code.
Whereas the cybersecurity company did not present any data on the assaults exploiting CVE-2020-5741, they have been probably linked to LastPass’ disclosure that certainly one of its senior DevOps engineers’ computer systems had been hacked in 2022 to put in a keylogger by abusing a third-party media software program RCE bug.
The attackers exploited this entry to steal the engineer’s credentials and compromise the LastPass company vault, leading to a large knowledge breach in August 2022 after stealing LastPass’s manufacturing backups and demanding database backups.
The identical month, Plex additionally notified customers of an information breach and requested them to reset passwords after an attacker gained entry to a database containing emails, usernames, and encrypted passwords.
46% of environments had passwords cracked, practically doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and knowledge exfiltration traits.
