Plex has issued an urgent security notice to users, recommending they update their media server software immediately to address a recently discovered vulnerability. While the company hasn’t yet assigned a CVE-ID (Common Vulnerabilities and Exposures identifier) or provided specific details about the flaw, it has confirmed that it impacts Plex Media Server versions 1.41.7.x to 1.42.0.x. This swift action follows a report received through Plex’s bug bounty program, highlighting a potential security risk. The company’s proactive approach, including emailing affected users, emphasizes the seriousness of this issue.
The security patch is included in Plex Media Server version 1.42.1.10060, which is now available for download. Users can get the update from the server management page or the official Plex downloads page. Cybersecurity experts advise users to install the patch as soon as possible, as threat actors often reverse engineer security patches to understand the underlying vulnerability and develop exploits. Updating promptly is the best defense against this kind of attack. The fact that Plex has emailed users directly is unusual and underscores the importance of this update.
This isn’t the first time Plex has faced security challenges. For example, a three-year-old remote code execution (RCE) flaw, CVE-2020-5741, was actively exploited in 2023. An RCE vulnerability allows an attacker to execute malicious code on a server. The exploitation of this specific flaw was likely linked to the LastPass data breach in 2022, where an attacker gained access to a DevOps engineer’s computer by exploiting a third-party media software bug. This incident demonstrates how a seemingly isolated vulnerability can lead to major security compromises.
The LastPass breach is a critical case study in the domino effect of cybersecurity vulnerabilities. Attackers used the RCE flaw to install a keylogger, steal credentials, and ultimately compromise LastPass’s corporate vault. This led to the theft of production and database backups, resulting in a massive data breach. This incident highlights the interconnectedness of systems and the potential for a single vulnerability to be a gateway to a larger-scale attack.
In addition to software vulnerabilities, Plex has also dealt with data breaches affecting user accounts. In August 2022, Plex notified users of a data breach where an attacker accessed a database containing user emails, usernames, and encrypted passwords. Users were asked to reset their passwords as a precautionary measure. These incidents, both recent and in the past, reinforce the importance of vigilance and prompt action when companies like Plex issue security advisories.
Reference:
