Plex Media Server Remote Code Execution Vulnerability
Plex Media Server contains a remote code execution vulnerability that allows an attacker with access to the server administrator's Plex account to upload a malicious file via the Camera Upload feature and have the media server execute it.
A remote attacker, with administrative privileges, can achieve full data confidentiality loss, arbitrary modification of data, complete denial of service or system unavailability. Federal agencies are required to remediate by 2023-03-31 under CISA BOD 22-01.
This is a Deserialization of Untrusted Data (CWE-502) vulnerability in Plex Media Server. Deserialization of Untrusted Data in Plex Media Server on Windows allows a remote, authenticated attacker to execute arbitrary Python code. Exploitation requires remote network access, low attack complexity, an administrative account, and no user interaction required.
Probably yes if any of these apply:
Active exploitation documented in the wild. Threat-research write-up: http://packetstormsecurity.com/files/158470/Plex-Unpickle-Dict-Windows-Remote-Code-Execution.html
Manual remediation steps
Apply the Vendor Patch
This vulnerability is in the CISA Known Exploited Vulnerabilities catalog — apply the vendor's security update as soon as possible.
CISA required action: Apply updates per vendor instructions.
References
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.
References