Plex has notified a few of its customers on Thursday to urgently replace their media servers as a consequence of a just lately patched security vulnerability.
The corporate has but to assign a CVE-ID to trace the flaw and did not present further particulars relating to the patch, solely saying that it impacts Plex Media Server variations 1.41.7.x to 1.42.0.x.
Yesterday, 4 days after releasing security updates that addressed the mysterious security bug, Plex emailed these operating affected variations to replace their software program as quickly as potential.
“We just lately acquired a report by way of our bug bounty program that there was a possible security problem affecting Plex Media Server variations 1.41.7.x to 1.42.0.x. Because of that person, we have been in a position to handle the problem, launch an up to date model of the server, and proceed to enhance our security and defenses,” the corporate mentioned within the e-mail.
“You are receiving this discover as a result of our info signifies {that a} Plex Media Server owned by your Plex account is operating an older model of the server. We strongly advocate that everybody replace their Plex Media Server to the latest model as quickly as potential, if in case you have not already performed so.”
Plex Media Server 1.42.1.10060, the model that patches this vulnerability, could be downloaded from the server administration web page or the official downloads web page.
Whereas Plex hasn’t shared any particulars relating to the vulnerability to this point, customers are suggested to comply with the corporate’s recommendation and patch their software program earlier than menace actors reverse engineer the patches and develop an exploit.
Though Plex has skilled its share of important and high-severity security flaws through the years, this is without doubt one of the few cases the place the corporate has emailed prospects about securing their methods towards a particular vulnerability.
In March 2023, CISA tagged a three-year-old distant code execution (RCE) flaw (CVE-2020-5741) within the Plex Media Server as actively exploited in assaults. As Plex defined two years earlier, when it launched patches, profitable exploitation can enable attackers to make the server execute malicious code.
Whereas the cybersecurity company did not present any info on the assaults exploiting CVE-2020-5741, they have been probably linked to LastPass’ disclosure that one in every of its senior DevOps engineers’ computer systems had been hacked in 2022 to put in a keylogger by abusing a third-party media software program RCE bug.
The attackers exploited this entry to steal the engineer’s credentials and compromise the LastPass company vault, leading to a large data breach in August 2022 after stealing LastPass’s manufacturing backups and important database backups.
The identical month, Plex additionally notified customers of a data breach and requested them to reset passwords after an attacker gained entry to a database containing emails, usernames, and encrypted passwords.
46% of environments had passwords cracked, practically doubling from 25% final 12 months.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and knowledge exfiltration developments.
