CVE-2020-5741
published 2020-05-08CVE-2020-5741: Deserialization of Untrusted Data in Plex Media Server on Windows allows a remote, authenticated attacker to execute arbitrary Python code.
PriorityP183high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2023-03-31
Exploited in the wild
EPSS
72.94%
99.4th percentile
Deserialization of Untrusted Data in Plex Media Server on Windows allows a remote, authenticated attacker to execute arbitrary Python code.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| plex | media_server | < 1.19.3 | 1.19.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect abuse of the Plex Camera Upload feature to upload arbitrary files — the exploit requires an authenticated attacker to create a photo library and add arbitrary files to it via this feature. ↗
- →Monitor for Plex setting changes to the Windows-only variable 'LocalAppDataPath' being redirected to an attacker-controlled photo library directory, which triggers the malicious Dict unpickling. ↗
- →Alert on CISA KEV listing: CVE-2020-5741 is confirmed actively exploited in the wild; prioritize detection on any Plex Media Server instance on Windows. ↗
- →Hunt for keylogger installation following Plex RCE exploitation — in the confirmed LastPass incident, attackers used the RCE to install a keylogger and steal credentials. ↗
- ·Exploitation requires authentication — the attacker must have access to the Plex server administrator's Plex account (Plex_Token). Unauthenticated exploitation is not possible. ↗
- ·The exploit is Windows-only due to reliance on the Windows-specific Plex variable 'LocalAppDataPath'. ↗
- ·If an exploit attempt fails or is cancelled, the malicious 'Dict' file is left on disk; subsequent exploit attempts require a new ALBUM_NAME as repeated writes produce 'Dict-1' instead of 'Dict', which will not execute. ↗
- ·Code execution runs as the user who started the Plex Media Server process, so privilege level depends on the Plex service account configuration. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck7.2HIGH
cisa7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-53fh-qcq6-xwhv: Deserialization of Untrusted Data in Plex Media Server on Windows allows a remote, authenticated attacker to execute arbitrary Python code
ghsa_unreviewed·2022-05-24
CVE-2020-5741 [HIGH] CWE-502 GHSA-53fh-qcq6-xwhv: Deserialization of Untrusted Data in Plex Media Server on Windows allows a remote, authenticated attacker to execute arbitrary Python code
Deserialization of Untrusted Data in Plex Media Server on Windows allows a remote, authenticated attacker to execute arbitrary Python code.
VulnCheck
Plex Media Server Remote Code Execution Vulnerability
vulncheck·2020·CVSS 7.2
CVE-2020-5741 [HIGH] CWE-502 Plex Media Server Remote Code Execution Vulnerability
Plex Media Server Remote Code Execution Vulnerability
Plex Media Server contains a remote code execution vulnerability that allows an attacker with access to the server administrator's Plex account to upload a malicious file via the Camera Upload feature and have the media server execute it.
Affected: Plex Media Server
Required Action: Apply updates per vendor instructions.
Exploitation References: https://arstechnica.com/information-technology/2023/02/lastpass-hackers-infected-employees-home-computer-and-stole-corporate-vault/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.bleepingcomputer.com/news/security/cisa-warns-of-actively-exploited-plex-bug-after-lastpass-breach/
Remediation Due: 2023-03-31
CISA
Plex Media Server Remote Code Execution Vulnerability
cisa·2023-03-10·CVSS 7.2
CVE-2020-5741 [HIGH] CWE-502 Plex Media Server Remote Code Execution Vulnerability
Vulnerability: Plex Media Server Remote Code Execution Vulnerability
Affected: Plex Media Server
Plex Media Server contains a remote code execution vulnerability that allows an attacker with access to the server administrator's Plex account to upload a malicious file via the Camera Upload feature and have the media server execute it.
Required Action: Apply updates per vendor instructions.
Notes: https://forums.plex.tv/t/security-regarding-cve-2020-5741/586819; https://nvd.nist.gov/vuln/detail/CVE-2020-5741
Remediation Due Date: 2023-03-31
No detection rules found.
Bleepingcomputer
Plex warns users to patch security vulnerability immediately
blogs_bleepingcomputer·2025-08-15·CVSS 8.5
CVE-2025-34158 [HIGH] Plex warns users to patch security vulnerability immediately
## Plex warns users to patch security vulnerability immediately
## Sergiu Gatlan
Update August 22, 03:57 EDT: This Plex Media Server vulnerability is now tracked as CVE-2025-34158, and it has been rated as maximum severity by VulnCheck .
Plex has notified some of its users on Thursday to urgently update their media servers due to a recently patched security vulnerability.
The company has yet to assign a CVE-ID to track the flaw and didn't provide additional details regarding the patch, only saying that it impacts Plex Media Server versions 1.41.7.x to 1.42.0.x.
Yesterday, four days after releasing security updates that addressed the mysterious security bug, Plex emailed those running affected versions to update their software as soon as possible.
"We recently received a report via ou
Tenable
Cybersecurity Snapshot: Find MITRE ATT&CK Complex? Need Help Mapping to It? There’s an App for That!
blogs_tenable·2023-03-10
Cybersecurity Snapshot: Find MITRE ATT&CK Complex? Need Help Mapping to It? There’s an App for That!
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Tenable Research Discloses Multiple Vulnerabilities in Plex Media Server
blogs_tenable·2020-06-16
Tenable Research Discloses Multiple Vulnerabilities in Plex Media Server
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://packetstormsecurity.com/files/158470/Plex-Unpickle-Dict-Windows-Remote-Code-Execution.htmlhttps://www.tenable.com/security/research/tra-2020-32http://packetstormsecurity.com/files/158470/Plex-Unpickle-Dict-Windows-Remote-Code-Execution.htmlhttps://www.tenable.com/security/research/tra-2020-32https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-5741
2020-05-08
Published
2023-03-10
Added to CISA KEV
Exploited in the wild