CISA has added an almost three-year-old high-severity remote code execution (RCE) vulnerability in the Plex Media Server to its catalog of security flaws exploited in attacks.
Tracked as CVE-2020-5741, this security flaw allows threat actors with admin privileges to execute arbitrary Python code remotely in low-complexity attacks that don’t require user interaction.
Attackers with “admin access to a Plex Media Server could abuse the Camera Upload feature to make the server execute malicious code,” according to an advisory published by the Plex Security Team in May 2020 when it patched the bug with the release of Plex Media Server 1.19.3.
“This could be done by setting the server data directory to overlap with the content location for a library on which Camera Upload was enabled. This issue could not be exploited without first gaining access to the server’s Plex account.”
While CISA didn’t provide any info on the attacks where the CVE-2020-5741 was exploited, this is likely linked to LastPass recently disclosing that a senior DevOps engineer’s computer was hacked last year to install a keylogger by abusing a third-party media software RCE bug.
The attackers eventually gained access to the engineer’s credentials and LastPass corporate vault. This led to a massive August 2022 data breach after the threat actors exfiltrated LastPass production backups and critical database backups.
Plex RCE reportedly used to hack LastPass engineer
Even though LastPass didn’t disclose what software flaw was exploited to hack into the engineer’s computer, Ars Technica reported that the software package exploited on the employee’s home computer was Plex.
Coincidentally, in August, Plex also notified customers of a data breach and asked them to reset their passwords after LastPass disclosed a second breach of its own.
On Friday, CISA also added a critical severity vulnerability in VMware’s Cloud Foundation (tracked as CVE-2021-39144), exploited in the wild since early December, to its Known Exploited Vulnerabilities (KEV) catalog.
According to a November 2021 binding operational directive (BOD 22-01), the U.S. federal agencies are now also required to secure their systems against attacks until March 31st to block attack attempts that might target their networks by exploiting the two flaws.
Although the BOD 22-01 only applies to federal agencies, CISA strongly urged all organizations to patch these bugs to defend against ongoing attacks.