CISA has added a nearly three-year-old high-severity remote code execution (RCE) vulnerability in Plex Media Server to its catalog of security flaws exploited in attacks.
Tracked as CVE-2020-5741, this security flaw allows hackers with administrator privileges to remotely execute arbitrary Python code in low complexity attacks that do not require user interaction .
Attackers with “administrator access to a Plex Media Server could abuse the Camera Upload feature to cause the server to execute malicious code,” according to a advisory released by the Plex Security Team in May 2020 when it fixed the bug with the release of Plex Media Server 1.19.3.
“This could be done by setting the server’s data directory to overlap with the content location of a library that Camera Upload has been enabled on. This issue could not be exploited without first accessing the account Server Plex.”
Although CISA did not provide any information about the attacks where CVE-2020-5741 was exploited, this is likely related to the fact that LastPass recently revealed that a senior DevOps engineer’s computer was hacked last year to install a keylogger by abusing a third-party multimedia software RCE bug.
The attackers eventually gained access to the engineer’s credentials and the LastPass company vault. This led to a massive data breach in August 2022 after threat actors exfiltrated LastPass production backups and critical database backups.
Plex RCE was allegedly used to hack LastPass Engineer
Although LastPass did not reveal which software flaw was exploited to hack into the engineer’s computer, Ars Technica reported that the software package running on the employee’s personal computer was Plex.
Coincidentally, in August, Plex also notified customers of a data breach and asked them to reset their passwords after LastPass has revealed its second breach.
On Friday, CISA also added a critical severity vulnerability in VMware’s Cloud Foundation (tracked as CVE-2021-39144), exploited in the wild since early December, in its Known Exploited Vulnerabilities (KEV) catalog.
According to a November 2021 Binding Operational Directive (BOD 22-01)US federal agencies are now also required to secure their systems against attacks through March 31 to block attempted attacks that could target their networks by exploiting the two flaws.
Although BOD 22-01 only applies to federal agencies, CISA strongly encouraged all organizations to fix these bugs to defend against ongoing attacks.