Recent Plex Vulnerability Allows Full System Takeover

Recently it was found that Plex had a vulnerability that allowed hackers to do a full system takeover. 

The three vulnerabilities that were found are CVE-2020-5740CVE-2020-5741, and CVE-2020-5742 which was detected by Tenable security researcher Chris Lyne and reported to Plex on May 31st.

If hackers are able to exploit this vulnerability they could execute code to gain access to all files, create backdoors and even move to other devices on the network.

Phishing for Plex Media Server Tokens (CVE-2020-5742)

Update to the latest version

Make sure that you are not vulnerable, log into your plex server and update right away.

“We have rolled out a change in our update distribution servers. This change will protect Plex Media Server version 1.18.2 or newer,” the Plex Security Team said. “Plex Media Server installations older than 1.18.2 will still be exploitable and we highly encourage users on older releases to upgrade.”

“Additionally, Plex Media Server versions 1.19.1.2701 & 1.19.2.2702 (and newer) features additional hardening in the updater infrastructure to protect against future vulnerabilities. We recommended for all users to update to one of these releases.”

Plex also resolved the CVE-2020-5742 vulnerability by enabling automatic alerts on authentication pages to notify Plex users when they are logging into a media server that’s not hosted by Plex.

Leave a Reply