Plex has disclosed a **security vulnerability** in its **Plex Media Server (versions 1.41.7.x to 1.42.0.x)**, prompting urgent patching via an email alert to affected users. While no CVE-ID or technical details were shared, the flaw was reported through Plex’s bug bounty program, suggesting potential exploitability. The company emphasized immediate updates to **version 1.42.1.10060** to mitigate risks before threat actors reverse-engineer the patch. Historically, Plex has faced critical vulnerabilities, including **CVE-2020-5741 (RCE)**, which was later exploited in high-profile breaches like the **LastPass attack (2022)**, where hackers used a third-party media software RCE to install a keylogger, steal credentials, and compromise corporate vaults. Additionally, Plex itself suffered a **data breach in August 2022**, exposing user emails, usernames, and encrypted passwords after an attacker accessed a database. The current vulnerability, though unexploited publicly, poses a risk of **remote code execution (RCE)**, potentially allowing attackers to execute malicious code on unpatched servers, leading to further system compromise or data exposure.
TPRM report: https://www.rankiteo.com/company/plex-inc
"id": "ple845081625",
"linkid": "plex-inc",
"type": "Vulnerability",
"date": "6/2020",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 'Users running Plex Media Server '
'versions 1.41.7.x to 1.42.0.x',
'industry': 'Media Streaming',
'location': 'United States',
'name': 'Plex Inc.',
'type': 'Software Company'},
{'industry': 'Cybersecurity',
'location': 'United States',
'name': 'LastPass (Historical, 2022)',
'type': 'Password Management Company'}],
'customer_advisories': 'Email notifications sent to users running vulnerable '
'Plex Media Server versions.',
'data_breach': {'data_encryption': 'Yes (passwords were encrypted)',
'data_exfiltration': 'Yes (August 2022 breach)',
'personally_identifiable_information': ['Emails', 'Usernames'],
'sensitivity_of_data': 'Moderate (encrypted passwords reduce '
'risk)',
'type_of_data_compromised': ['Emails',
'Usernames',
'Encrypted Passwords (August '
'2022)']},
'date_publicly_disclosed': '2024-02-01T00:00:00Z',
'description': 'Plex notified users of a recently patched security '
'vulnerability in Plex Media Server versions 1.41.7.x to '
"1.42.0.x. The flaw was reported via Plex's bug bounty "
'program, prompting an urgent update to version 1.42.1.10060. '
'While details of the vulnerability remain undisclosed, users '
'were advised to patch immediately to prevent potential '
'exploitation. This follows a history of critical flaws, '
'including CVE-2020-5741 (a 3-year-old RCE vulnerability '
'tagged by CISA as actively exploited in 2023), which was '
'linked to the LastPass breach in 2022. Plex also experienced '
'a separate data breach in August 2022, where attacker(s) '
'accessed a database containing emails, usernames, and '
'encrypted passwords.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'repeated security incidents (2022 '
'breach and 2024 vulnerability)',
'data_compromised': ['Emails',
'Usernames',
'Encrypted Passwords (August 2022 breach)'],
'identity_theft_risk': 'Low (encrypted passwords in 2022 breach)',
'systems_affected': ['Plex Media Server (versions 1.41.7.x to '
'1.42.0.x)']},
'investigation_status': 'Ongoing (for current vulnerability; resolved for '
'August 2022 breach)',
'lessons_learned': ['Proactive patching is critical to prevent exploitation '
'of disclosed vulnerabilities.',
'Bug bounty programs can effectively identify and '
'mitigate security flaws.',
'Historical vulnerabilities (e.g., CVE-2020-5741) may '
'resurface in supply-chain attacks (e.g., LastPass '
'breach).',
'Transparent communication with users during security '
'incidents builds trust.'],
'post_incident_analysis': {'corrective_actions': ['Released patch for '
'vulnerability (version '
'1.42.1.10060).',
'Notified users to update '
'and reset passwords (2022 '
'breach).',
'Enhanced bug bounty '
'program to identify flaws '
'proactively.'],
'root_causes': ['Unpatched vulnerability in Plex '
'Media Server (current incident).',
'Exploitation of CVE-2020-5741 in '
'third-party software (LastPass '
'breach, 2022).',
'Potential credential stuffing or '
'brute-force attacks (August 2022 '
'Plex breach).']},
'recommendations': ['Users should immediately update Plex Media Server to '
'version 1.42.1.10060 or later.',
'Enable automatic updates for Plex Media Server where '
'possible.',
'Monitor for unauthorized access or unusual activity on '
'Plex accounts.',
'Use strong, unique passwords and enable multi-factor '
'authentication (MFA) for Plex accounts.',
'Regularly audit third-party software dependencies for '
'known vulnerabilities.'],
'references': [{'date_accessed': '2024-02-01T00:00:00Z',
'source': 'BleepingComputer',
'url': 'https://www.bleepingcomputer.com'},
{'date_accessed': '2024-02-01T00:00:00Z',
'source': 'Plex Official Email Notification'},
{'date_accessed': '2023-03-00T00:00:00Z',
'source': 'CISA Advisory on CVE-2020-5741',
'url': 'https://www.cisa.gov'},
{'date_accessed': '2022-08-00T00:00:00Z',
'source': 'LastPass Breach Disclosure (2022)',
'url': 'https://blog.lastpass.com'}],
'response': {'communication_strategy': ['Email notifications to affected '
'users',
'Public advisory via '
'BleepingComputer'],
'containment_measures': ['Urgent patch release (version '
'1.42.1.10060)',
'User notifications via email'],
'incident_response_plan_activated': 'Yes (for August 2022 breach '
'and current vulnerability)',
'remediation_measures': ['Password resets (August 2022 breach)']},
'stakeholder_advisories': 'Users advised to update Plex Media Server and '
'reset passwords (if affected by 2022 breach).',
'title': 'Plex Media Server Security Vulnerability and Urgent Patch Advisory',
'type': ['Vulnerability Disclosure', 'Data Breach (Historical, August 2022)'],
'vulnerability_exploited': [{'current': {'cve_id': None,
'description': 'Unnamed '
'vulnerability in '
'Plex Media Server '
'versions 1.41.7.x to '
'1.42.0.x (patched in '
'1.42.1.10060)',
'severity': None},
'historical': {'cve_id': 'CVE-2020-5741',
'description': 'CVE-2020-5741 '
'(RCE '
'vulnerability, '
'patched in 2020 '
'but actively '
'exploited in '
'2023)',
'severity': 'Critical'}}]}