
Tje U.S. CISA has added a remote code execution (RCE) vulnerability in the Plex Media Server to its Known Exploited Vulnerabilities Catalog.
The three-year-old high-severity flaw , tracked as CVE-2020-5741 with a CVSS score: 7.2 is a deserialization of untrusted data in Plex Media Server on Windows, a remote, authenticated attacker that can trigger it to execute arbitrary Python code.
This allows an attacker with access to the server administrator’s Plex account to upload a malicious file via the Camera Upload feature and have the media server execute it. This could be done by setting the server data directory to overlap with the content location for a library on which Camera Upload was enabled.
The company addressed the vulnerability with the release of Plex Media Server 1.19.3 in May 2020.
The security breach suffered by LastPass was caused by the failure to update Plex on the home computer of one of its engineers.
CISA orders federal agencies to fix this flaw by March 31, 2023.