Plex Media Server Remote Code Execution (RCE) Vulnerability - 20230314001

Overview

The Plex Media Server plugin framework contains a flaw that allows a remote attacker (authenticated with admin privileges) to execute arbitrary Python code within the context of the current OS user. Specifically, when a "Dict" file is loaded for a given plugin, the contents are unpickled without validation. The Dict file can be delivered remotely via the camera upload feature.

What is the vulnerability ?

Deserialization of Untrusted Data in Plex Media Server on Windows allows a remote, authenticated attacker to execute arbitrary Python code.

What is vulnerable ?

CVE-2020-5741 - Deserialization of Untrusted Data in Plex Media Server on Windows allows a remote, authenticated attacker to execute arbitrary Python code.

What has been observed ?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

The ACSC is not aware of successful exploitation attempts against Australian organisations.

Recommendations

Upgrade to Plex Media Server 1.19.3.

Reference

• Security: Regarding CVE-2020-5741 https://forums.plex.tv/t/security-regarding-cve-2020-5741/586819