Plex Urges Users to Patch Critical Security Flaw Now
▼ Summary
– Plex alerted users to urgently update their media servers due to a recently patched security vulnerability affecting versions 1.41.7.x to 1.42.0.x.
– The vulnerability was reported via Plex’s bug bounty program, prompting the release of a patched version (1.42.1.10060).
– Plex has not disclosed details about the flaw but strongly advised users to update to the latest version to prevent potential exploits.
– This is a rare instance where Plex directly emailed customers about a specific vulnerability, unlike past critical flaws.
– A previous Plex RCE flaw (CVE-2020-5741) was exploited in 2022, linked to a LastPass breach, and Plex also suffered a data breach the same month.
Plex has issued an urgent security alert, advising users to immediately update their media server software to address a newly discovered vulnerability. The company sent targeted emails to customers running outdated versions, though specifics about the nature of the flaw remain undisclosed.
The affected software includes Plex Media Server versions 1.41.7.x through 1.42.0.x, with the patched version (1.42.1.10060) now available for download. Plex credited an anonymous bug bounty program participant for identifying the issue, prompting the swift release of a fix. While no CVE identifier has been assigned yet, the company emphasized the importance of updating to mitigate potential risks.
This proactive warning is unusual for Plex, which typically reserves such direct communications for critical threats. The lack of technical details suggests the vulnerability could be severe, leaving users vulnerable if exploited. Historically, unpatched Plex servers have been targeted in attacks, including a 2020 remote code execution flaw (CVE-2020-5741) that resurfaced in active exploits last year.
Cybersecurity experts recommend applying updates immediately, as delays could allow malicious actors to reverse-engineer the patch and develop exploits. Past incidents highlight the risks, unauthorized access to Plex servers has led to credential theft and even corporate breaches, as seen in the 2022 LastPass incident linked to a third-party media software vulnerability.
Plex users can download the latest version directly from the server management interface or the official website. Those who haven’t received the email should manually check their server version to ensure protection. Given the platform’s history of security challenges, staying current with patches remains the best defense against emerging threats.
The company’s recent breach notification in August 2022, where hackers accessed encrypted passwords and user data, further underscores the importance of timely updates. While Plex hasn’t disclosed whether this new flaw is actively exploited, caution is warranted. Proactive measures now could prevent significant disruptions later.
(Source: Bleeping Computer)
