Plex has notified a few of its customers on Thursday to urgently replace their media servers as a result of a just lately patched safety vulnerability.
The corporate has but to assign a CVE-ID to trace the flaw and did not present further particulars concerning the patch, solely saying that it impacts Plex Media Server variations 1.41.7.x to 1.42.0.x.
Yesterday, 4 days after releasing safety updates that addressed the mysterious safety bug, Plex emailed these working affected variations to replace their software program as quickly as potential.
“We just lately acquired a report by way of our bug bounty program that there was a possible safety problem affecting Plex Media Server variations 1.41.7.x to 1.42.0.x. Due to that consumer, we had been in a position to deal with the difficulty, launch an up to date model of the server, and proceed to enhance our safety and defenses,” the corporate stated within the e mail.
“You are receiving this discover as a result of our data signifies {that a} Plex Media Server owned by your Plex account is working an older model of the server. We strongly suggest that everybody replace their Plex Media Server to the newest model as quickly as potential, when you have not already completed so.”
Plex Media Server 1.42.1.10060, the model that patches this vulnerability, might be downloaded from the server administration web page or the official downloads web page.
Whereas Plex hasn’t shared any particulars concerning the vulnerability to date, customers are suggested to comply with the corporate’s recommendation and patch their software program earlier than menace actors reverse engineer the patches and develop an exploit.
Though Plex has skilled its share of crucial and high-severity safety flaws over time, this is among the few situations the place the corporate has emailed clients about securing their techniques towards a selected vulnerability.
In March 2023, CISA tagged a three-year-old distant code execution (RCE) flaw (CVE-2020-5741) within the Plex Media Server as actively exploited in assaults. As Plex defined two years earlier, when it launched patches, profitable exploitation can permit attackers to make the server execute malicious code.
Whereas the cybersecurity company did not present any data on the assaults exploiting CVE-2020-5741, they had been possible linked to LastPass’ disclosure that one among its senior DevOps engineers’ computer systems had been hacked in 2022 to put in a keylogger by abusing a third-party media software program RCE bug.
The attackers exploited this entry to steal the engineer’s credentials and compromise the LastPass company vault, leading to a huge knowledge breach in August 2022 after stealing LastPass’s manufacturing backups and demanding database backups.
The identical month, Plex additionally notified customers of a knowledge breach and requested them to reset passwords after an attacker gained entry to a database containing emails, usernames, and encrypted passwords.
46% of environments had passwords cracked, almost doubling from 25% final 12 months.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and knowledge exfiltration tendencies.
