cbcvebase.
CVE-2020-5741
published 2020-05-08

CVE-2020-5741: Deserialization of Untrusted Data in Plex Media Server on Windows allows a remote, authenticated attacker to execute arbitrary Python code.

PriorityP183high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2023-03-31
Exploited in the wild
EPSS
72.94%
99.4th percentile
Deserialization of Untrusted Data in Plex Media Server on Windows allows a remote, authenticated attacker to execute arbitrary Python code.

Affected

1 ranges
VendorProductVersion rangeFixed in
plexmedia_server< 1.19.31.19.3

Detection & IOCsextracted from sources · hover to see the quote

pathDict
otherX-Plex-Token
  • Detect abuse of the Plex Camera Upload feature to upload arbitrary files — the exploit requires an authenticated attacker to create a photo library and add arbitrary files to it via this feature.
  • Monitor for Plex setting changes to the Windows-only variable 'LocalAppDataPath' being redirected to an attacker-controlled photo library directory, which triggers the malicious Dict unpickling.
  • Alert on CISA KEV listing: CVE-2020-5741 is confirmed actively exploited in the wild; prioritize detection on any Plex Media Server instance on Windows.
  • Hunt for keylogger installation following Plex RCE exploitation — in the confirmed LastPass incident, attackers used the RCE to install a keylogger and steal credentials.
  • ·Exploitation requires authentication — the attacker must have access to the Plex server administrator's Plex account (Plex_Token). Unauthenticated exploitation is not possible.
  • ·The exploit is Windows-only due to reliance on the Windows-specific Plex variable 'LocalAppDataPath'.
  • ·If an exploit attempt fails or is cancelled, the malicious 'Dict' file is left on disk; subsequent exploit attempts require a new ALBUM_NAME as repeated writes produce 'Dict-1' instead of 'Dict', which will not execute.
  • ·Code execution runs as the user who started the Plex Media Server process, so privilege level depends on the Plex service account configuration.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck7.2HIGH
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.