Plex has urged certain users to promptly update their media servers due to a recent security vulnerability.
The company has not yet assigned a CVE ID to the flaw or provided specific details on the patch. It did confirm that the vulnerability affects Plex Media Server versions 1.41.7.x through 1.42.0.x.
Four days after releasing the security fix, Plex emailed users with the affected versions, advising them to update their software immediately. "We recently received a report via our bug bounty program that there was a potential security issue affecting Plex Media Server versions 1.41.7.x to 1.42.0.x. Thanks to that user, we were able to address the issue, release an updated version of the server, and continue to improve our security and defenses," the company stated in the email.
The notice explained, "You're receiving this notice because our information indicates that a Plex Media Server owned by your Plex account is running an older version of the server. We strongly recommend that everyone update their Plex Media Server to the most recent version as soon as possible, if you have not already done so." The patched version, Plex Media Server 1.42.1.10060, is available on the server management page and the official downloads page. Although details on the vulnerability are scarce, users are advised to patch their software before attackers can reverse engineer the fix to create an exploit.
While Plex has had critical security flaws before, it is rare for the company to email users directly about a specific vulnerability.
In March 2023, the cybersecurity agency CISA flagged a three-year-old remote code execution flaw (CVE-2020-5741) in Plex Media Server as being actively exploited. Plex had previously explained that successful exploitation could allow attackers to run malicious code on the server.
The attacks exploiting CVE-2020-5741 were likely connected to a 2022 incident where a LastPass senior DevOps engineer's computer was compromised by an RCE bug in third-party media software. Attackers exploited this to steal credentials and access the LastPass corporate vault, leading to a major data breach in August 2022. That same month, Plex also informed users of its own data breach, asking them to reset passwords after an attacker gained access to a database with user information.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
