Plex warns users to patch security vulnerability immediately

Plex has notified some of its users on Thursday to urgently update their media servers due to a recently patched security vulnerability.

The company has yet to assign a CVE-ID to track the flaw and didn’t provide additional details regarding the patch, only saying that it impacts Plex Media Server versions 1.41.7.x to 1.42.0.x.

Yesterday, four days after releasing security updates that addressed the mysterious security bug, Plex emailed those running affected versions to update their software as soon as possible.

“We recently received a report via our bug bounty program that there was a potential security issue affecting Plex Media Server versions 1.41.7.x to 1.42.0.x. Thanks to that user, we were able to address the issue, release an updated version of the server, and continue to improve our security and defenses,” the company said in the email.

“You’re receiving this notice because our information indicates that a Plex Media Server owned by your Plex account is running an older version of the server. We strongly recommend that everyone update their Plex Media Server to the most recent version as soon as possible, if you have not already done so.”

Plex Media Server 1.42.1.10060, the version that patches this vulnerability, can be downloaded from the server management page or the official downloads page.

​While Plex hasn’t shared any details regarding the vulnerability so far, users are advised to follow the company’s advice and patch their software before threat actors reverse engineer the patches and develop an exploit.

Although Plex has experienced its share of critical and high-severity security flaws over the years, this is one of the few instances where the company has emailed customers about securing their systems against a specific vulnerability.

In March 2023, CISA tagged a three-year-old remote code execution (RCE) flaw (CVE-2020-5741) in the Plex Media Server as actively exploited in attacks. As Plex explained two years earlier, when it released patches, successful exploitation can allow attackers to make the server execute malicious code.

While the cybersecurity agency didn’t provide any information on the attacks exploiting CVE-2020-5741, they were likely linked to LastPass’ disclosure that one of its senior DevOps engineers’ computers had been hacked in 2022 to install a keylogger by abusing a third-party media software RCE bug.

The attackers exploited this access to steal the engineer’s credentials and compromise the LastPass corporate vault, resulting in a massive data breach in August 2022 after stealing LastPass’s production backups and critical database backups.

The same month, Plex also notified users of a data breach and asked them to reset passwords after an attacker gained access to a database containing emails, usernames, and encrypted passwords.