![]() ![]() Plex provided the following statement to SecurityWeek: While CISA added the vulnerability to the KEV list without sharing details on in-the-wild exploitation, media reports suggested recently that last year’s LastPass data breach that led to the theft of user vault data might be related to a Plex bug exploited to hack a DevOps engineer’s computer. This essentially opened the door for the exploitation of unpatched Plex Media Server instances still impacted by CVE-2020-5741. ![]() However, Plex in August 2022 disclosed a data breach that likely impacted over 15 million customers, and which resulted in usernames, emails, and password data being stolen. “This issue allowed an attacker with access to the server administrator’s Plex account to upload a malicious file via the Camera Upload feature and have the media server execute it,” Plex noted in a May 2020 advisory.Īddressed with the release of Plex Media Server 1.19.3, the vulnerability requires for the attacker to have admin access to a Plex Media Server for successful exploitation, which made it unlikely to be targeted in attacks. Tracked as CVE-2020-5741, the first is a high-severity flaw in Plex Media Server that is described as a deserialization issue that can be exploited to execute arbitrary Python code, remotely. The US Cybersecurity and Infrastructure Security Agency (CISA) has added vulnerabilities impacting Plex and VMware products to its Known Exploited Vulnerabilities (KEV) catalog. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |