Please on Thursday informed some of its users that to update their media servers immediately due to the recently picked safety vulnerability.
The company has yet assigned the cve-id to track the defect and has not provided additional details about the patch, saying that it affects the plex media server version 1.41.7.x from 1.42.0.x to 1.42.0.x.
Tomorrow, four days After issuing security updates This addressed the mysterious security bug, the please email the affected versions affected to update their software as soon as possible.
“We have recently received a report through our Bug Bounty Program that the plex media server version was a potential security issue affected by 1.41.7.x to 1.42.0.x. Thanks to that user, we were able to address the issue, we were able to release an updated version of the server and to improve our safety and rescue,” The company said in the email.
“You are receiving this notice because our information indicates that a plex media -owned plex media is running an old version of the server server.
Please Media Server 1.42.1.10060, this vulnerable version can be downloaded from server management page or Official download page,
While Plex has not yet shared any details about vulnerability, users are advised to follow the company’s advice and patch your software before patching their software.
Although please have experienced its share of significant and high-seriousness safety flaws over the years, it is one of the few examples where the company has emailed customers about securing their system against a specific vulnerability.
In March 2023, CISA tagged a three-year-old remote code execution (RCE) Dosha (RCE) Dosha (CVE-2020-5741) as actively exploitation in the attacks. As plex Was explained two years agoWhen it releases the patch, successful exploitation may allow the attackers to execute the malicious code to the server.
While the cyber security agency did not give any information on the exploiting attacks of CVE-2020-5741, they were probably associated with the disclosure of the lastpass that one of its senior devops engineers computers was hacked to install Kalogger by misusing a third-party media software RCE bug in 2022.
The attackers exploited this access to stealing engineer’s credentials and compromising the lastpass corporate vault, resulting in large -scale data violations in August 2022 after the last -production backup of the lastpass production backup and significant database backup in August 2022.
The same month, PLEX also informed users of a data breech and asked them to reset the password after an attacker’s email, user names and an encrypted password database.
The passwords broke in 46% of the atmosphere, almost doubled by 25% last year.
Picus Blue Report 2025 Now get a wider look at more conclusions on prevention, detection and data exfIs.
