CVE-2018-13415
published 2018-08-13CVE-2018-13415: In Plex Media Server 1.13.2.5154, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote…
PriorityP276critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
31.81%
98.1th percentile
In Plex Media Server 1.13.2.5154, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running Plex, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack to cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and achieve Remote Command Execution in Windows domains.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| plex | media_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for outbound SMB connections (port 445) originating from the Plex Media Server process — this is anomalous and indicates XXE-triggered NTLM relay/capture activity. ↗
- →Detect HTTP GET requests to paths matching /ssdp/device-desc.xml and /ssdp/data.dtd on attacker-controlled servers; these are the XXE payload delivery paths used in exploitation. ↗
- →Alert on HTTP GET requests containing the pattern /?exfiltrated= in the URI, which indicates successful out-of-band XXE file exfiltration from Plex. ↗
- →Monitor SSDP traffic (UDP 239.255.255.250:1900) for M-SEARCH responses that include a Device Descriptor URL pointing to an external or non-local host, which is the initial XXE trigger vector. ↗
- →Inspect XML content fetched by Plex over HTTP for DOCTYPE declarations containing ENTITY tags referencing SMB (file://) or HTTP URIs — presence of these in SSDP device descriptors is the XXE payload signature. ↗
- →Look for the [XXE VULN!!!!] log pattern or equivalent: a User-Agent of 'None' making requests to /ssdp/device-desc.xml, which is the fingerprint of Plex's libxml2 XXE callback. ↗
- ·The attack is limited to attackers on the same LAN as the Plex server, as it requires responding to SSDP UDP multicast traffic on the local network segment. ↗
- ·File exfiltration via XXE (POC 2) is limited to single-line files with no whitespace; multi-line or whitespace-containing files cannot be reliably exfiltrated with this technique. ↗
- ·The vulnerability is exploited automatically upon Plex restart — no user interaction beyond restarting the service is required, making it a zero-click attack on the LAN. ↗
- ·The XXE is processed by libxml2 within Plex's SSDP/UPnP component; the affected component and library should be the focus of patching and version tracking. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2018-08-13
Published