CISA has added a nearly three-year-old high-severity Remote Code Execution (RCE) vulnerability in Plex Media Server to its catalog of exploited security flaws in attacks.
Tracked as CVE-2020-5741, this security flaw allows threat actors with administrator privileges to remotely execute arbitrary Python code in low-complexity attacks that do not require user interaction.
Attackers with “administrator access to the Plex Media Server could abuse the camera upload feature to cause the server to execute malicious code,” according to an advisory posted by Plex’s security team in May 2020 when it fixed the bug. with the release of Plex Media Server. 1.19.3.
“This can be done by setting the server’s data directory to overlap with the content location of a library in which camera upload has been enabled. This issue cannot be exploited without first gaining access to the Plex account of the server”.
While CISA did not provide any information about the attacks in which CVE-2020-5741 was exploited, this is likely related to LastPass recently revealing that a senior DevOps engineer’s computer was hacked last year to install a data logger. keys abusing a third-party medium. RCE software error.
The attackers eventually gained access to the engineer’s credentials and LastPass’s corporate vault. This led to a massive data breach in August 2022 after threat actors extracted LastPass production backups and critical database backups.
Plex RCE reportedly used to hack LastPass engineer
Although LastPass did not disclose which software flaw was exploited to hack into the engineer’s computer, Ars Technica reported that the software package exploited on the employee’s home computer was Plex.
Coincidentally, in August, Plex too notified customers of a data breach and asked them to reset their passwords after LastPass revealed a second breach of its own.
On Friday, CISA also added a critical severity vulnerability in VMware’s Cloud Foundation (tracked as CVE-2021-39144), exploited in the wild since early December, to its catalog of known exploited vulnerabilities (KEVs).
According to a November 2021 binding operational directive (BOD 22-01), US federal agencies are now also required to protect their systems against attacks until March 31 to block attack attempts that may target their networks by exploiting the two faults.
Although BOD 22-01 only applies to federal agencies, CISA strongly urged all organizations to correct these errors to defend against ongoing attacks.
