Pierluigi Paganini March 13, 2023

US CISA added remote code execution vulnerability in Plex Media Server to its Known Exploited Vulnerabilities Catalog.

U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a remote code execution (RCE) vulnerability in the Plex Media Server, tracked as CVE-2020-5741 (CVSS score: 7.2), to its Known Exploited Vulnerabilities Catalog.

The three-year-old high-severity flaw is a deserialization of untrusted data in Plex Media Server on Windows, a remote, authenticated attacker can trigger it to execute arbitrary Python code.

“This issue allowed an attacker with access to the server administrator’s Plex account to upload a malicious file via the Camera Upload feature and have the media server execute it. This could be done by setting the server data directory to overlap with the content location for a library on which Camera Upload was enabled.” reads the advisory published by Plex. “This issue could not be exploited without first gaining access to the server’s Plex account.”

The company addressed the vulnerability with the release of Plex Media Server 1.19.3 in May 2020.

The security breach suffered by LastPass was caused by the failure to update Plex on the home computer of one of its engineers.

Recently, the password management software firm disclosed a “second attack,” a threat actor used data stolen from the August security breach and combined it with information available from a third-party data breach. Then the attackers exploited a flaw in a third-party media software package to target the firm.

LastPass revealed that the home computer of one of its DevOp engineers was hacked as part of a sophisticated cyberattack.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this flaw by March 31, 2023.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Plex)