CISA warns of actively exploited Plex bug after LastPass breach


CISA has added an almost three-year-old high-severity remote code execution (RCE) vulnerability in the Plex Media Server to its catalog of security flaws exploited in attacks.

Tracked as CVE-2020-5741, this security flaw allows threat actors with admin privileges to execute arbitrary Python code remotely in low-complexity attacks that don’t require user interaction.

Attackers with “admin access to a Plex Media Server could abuse the Camera Upload feature to make the server execute malicious code,” according to an advisory published by the Plex Security Team in May 2020 when it patched the bug with the release of Plex Media Server 1.19.3.

“This could be done by setting the server data directory to overlap with the content location for a library on which Camera Upload was enabled. This issue could not be exploited without first gaining access to the server’s Plex account.”

While CISA didn’t provide any info on the attacks where the CVE-2020-5741 was exploited, this is likely linked to LastPass recently disclosing that a senior DevOps engineer’s computer was hacked last year to install a keylogger by abusing a third-party media software RCE bug.

The attackers eventually gained access to the engineer’s credentials and LastPass corporate vault. This led to a massive August 2022 data breach after the threat actors exfiltrated LastPass production backups and critical database backups.

Plex RCE reportedly used to hack LastPass engineer

Even though LastPass didn’t disclose what software flaw was exploited to hack into the engineer’s computer, Ars Technica reported that the software package exploited on the employee’s home computer was Plex.

Coincidentally, in August, Plex also notified customers of a data breach and asked them to reset their passwords after LastPass disclosed a second breach of its own.

On Friday, CISA also added a critical severity vulnerability in VMware’s Cloud Foundation (tracked as CVE-2021-39144), exploited in the wild since early December, to its Known Exploited Vulnerabilities (KEV) catalog.

According to a November 2021 binding operational directive (BOD 22-01), the U.S. federal agencies are now also required to secure their systems against attacks until March 31st to block attack attempts that might target their networks by exploiting the two flaws.

Although the BOD 22-01 only applies to federal agencies, CISA strongly urged all organizations to patch these bugs to defend against ongoing attacks.


  • h_b_s Photo h_b_s – 2 days ago

    LastPast's particular tale of woe should be an object lesson to both governments and organizations why you do NOT want employees bringing their own devices into the work environment (even when working from home), nor should IT staff be complying with requests even from senior staff to install personal software on work devices.

    I'm not going to go into the rabbit hole of being fired for doing your job. That's for your lawyer to discuss with you. But generally speaking, you don't want to work for a company that ignores data and physical security in this environment anyway. It's bad for your professional reputation. It's bad for your mental and physical health. And it's probably bad for your personal liability situation, especially when regulatory compliance issues are in play. The days where identity and data security could be ignored are long gone.


Related posts

Canadian food retail giant Sobeys hit by Black Basta ransomware

Sarah Henriquez

Dish Network confirms ransomware attack behind multi-day outage

Sarah Henriquez

Cisco warns of auth bypass bug with public exploit in EoL routers

Sarah Henriquez

Leave a Comment