If you run a Plex media server, you may need to update it right now to patch a major security flaw. The company notified some users late last week of a vulnerability affecting Plex Media Server versions 1.41.7.x to 1.42.0.x and urged recipients to download the fix ASAP.
Why you should pay attention to this Plex security issue
As Bleeping Computer reports , Plex has experienced a number of critical and high-severity bugs in the past but rarely alerts users to specific vulnerabilities and urgent updates—so this one is likely quite serious.
One actively exploited Plex security issue was implicated in the massive 2022 LastPass data breach . The remote code execution vulnerability, labeled CVE-2020-5741, allowed attackers access to the Plex account of a LastPass engineer, who hadn’t updated their software with the appropriate patch. As a result, threat actors were able to install a keylogger to steal the employee’s credentials, which gave them access to the LastPass corporate vault. According to Plex’s statement about the event, the version running on the engineer’s server was “roughly 75 versions ago.”
Plex hasn’t shared any further information about this current flaw or assigned a CVE-ID, so it’s not clear what exactly the vulnerability is. Some users received an email describing a “potential security issue affecting Plex Media Server versions 1.41.7.x to 1.42.0.x” identified via the bug bounty program. The message also stated “We strongly recommend that everyone update their Plex Media Server to the most recent version as soon as possible, if you have not already done so.”
The patch for this latest vulnerability is Plex Media Server version 1.42.1.10060 (or later), which you can get via your server management page or the company’s downloads page .
