Plex has patched and mitigated three vulnerabilities affecting Plex Media Server for Windows that could enable attackers to take full control of the underlying system when chained together.
Plex Media Server is a desktop app and the backend server for the Plex media streaming service, designed for streaming movies, TV shows, music, and photo collections to over the Internet and on local area networks.
The three vulnerabilities tracked CVE-2020-5740, CVE-2020-5741, and CVE-2020-5742 were found by Tenable security researcher Chris Lyne and reported to Plex on May 31st.
If attackers chain together exploits for all these security flaws, they could remotely execute code as SYSTEM, fully taking over the operating system, gain access to all files, deploy backdoors, or move laterally to other devices on the same network.
The Plex Security Team rolled out patches for CVE-2020-5740 on April 24 and for CVE-2020-5741 on May 7, and mitigated CVE-2020-5742 via server-side changes.