Plex has notified a few of its customers on Thursday to urgently replace their media servers as a consequence of a not too long ago patched safety vulnerability.
The corporate has but to assign a CVE-ID to trace the flaw and did not present further particulars relating to the patch, solely saying that it impacts Plex Media Server variations 1.41.7.x to 1.42.0.x.
Yesterday, 4 days after releasing safety updates that addressed the mysterious safety bug, Plex emailed these working affected variations to replace their software program as quickly as potential.
“We not too long ago acquired a report through our bug bounty program that there was a possible safety situation affecting Plex Media Server variations 1.41.7.x to 1.42.0.x. Because of that consumer, we have been capable of deal with the difficulty, launch an up to date model of the server, and proceed to enhance our safety and defenses,” the corporate stated within the e-mail.
“You are receiving this discover as a result of our info signifies {that a} Plex Media Server owned by your Plex account is working an older model of the server. We strongly suggest that everybody replace their Plex Media Server to the latest model as quickly as potential, when you’ve got not already performed so.”
Plex Media Server 1.42.1.10060, the model that patches this vulnerability, might be downloaded from the server administration web page or the official downloads web page.
Whereas Plex hasn’t shared any particulars relating to the vulnerability thus far, customers are suggested to comply with the corporate’s recommendation and patch their software program earlier than risk actors reverse engineer the patches and develop an exploit.
Though Plex has skilled its share of essential and high-severity safety flaws through the years, this is without doubt one of the few situations the place the corporate has emailed clients about securing their programs towards a selected vulnerability.
In March 2023, CISA tagged a three-year-old distant code execution (RCE) flaw (CVE-2020-5741) within the Plex Media Server as actively exploited in assaults. As Plex defined two years earlier, when it launched patches, profitable exploitation can permit attackers to make the server execute malicious code.
Whereas the cybersecurity company did not present any info on the assaults exploiting CVE-2020-5741, they have been possible linked to LastPass’ disclosure that one in all its senior DevOps engineers’ computer systems had been hacked in 2022 to put in a keylogger by abusing a third-party media software program RCE bug.
The attackers exploited this entry to steal the engineer’s credentials and compromise the LastPass company vault, leading to a large knowledge breach in August 2022 after stealing LastPass’s manufacturing backups and significant database backups.
The identical month, Plex additionally notified customers of a knowledge breach and requested them to reset passwords after an attacker gained entry to a database containing emails, usernames, and encrypted passwords.
46% of environments had passwords cracked, practically doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and knowledge exfiltration traits.
Elevate your perspective with NextTech Information, the place innovation meets perception.
Uncover the most recent breakthroughs, get unique updates, and join with a worldwide community of future-focused thinkers.
Unlock tomorrow’s traits as we speak: learn extra, subscribe to our publication, and develop into a part of the NextTech group at NextTech-news.com
