300k+ Plex Media Server instances still vulnerable to attack via CVE-2025-34158
Over 300,000 internet-facing Plex Media Server instances are still vulnerable to attack via CVE-2025-34158, a critical vulnerability for which Plex has issued a fix for earlier this month, Censys has warned.
About CVE-2025-34158
Plex Media Server (PMS) is software that allows users to turn their Windows/Linux/macOS computer or their network-attached storage devices into a personal media server. It organizes their movies, music, photos, and other media and enables them to stream the content on nearly any device.
CVE-2025-34158 is an improper input validation vulnerability that affects PMS versions 1.41.7.x to 1.42.0.x, and has been fixed in version 1.42.1.
The flaw’s CVSS score is the highest possible, and tells us that it can be exploited remotely over the internet, without user interaction or attackers having to authenticate first.
The vulnerability is apparently easy to exploit, and could result in a total loss of confidentiality, integrity, and availability. This means that attackers may access private data through it, corrupt it, or making it unavailable for use by crashing or disabling the Plex server.
Upgrade your Plex Media Server
A few days after the security update was released, Plex took the unusual (but not unheard of) step of contacting users via email to urge them to upgrade to Plex Media Server version 1.42.1.10060 or later to fix the issue. Unfortunately, it seems that too many users haven’t felt the need to do it.
Last Friday, Censys flagged 428,083 devices – predominantly located in the US and Europe – exposing the Plex Media Server web interface / login portal to the internet.
“As of Monday, August 25, Censys observes at least 314k instances of the Plex web interface that appear to be running versions 1.41.7.x to 1.42.0.x,” the Censys research team told Help Net Security.
Plex Media Server vulnerabilities have been occasionally exploited by attackers.
Notably, the August 2022 LastPass breach was made possible by attackers putting malware on a LastPass employee’s home computer, after compromising it through a Plex Media Server vulnerability (CVE-2020-5741). This incident proved that compromised Plex installations can also be used as attack footholds.
The good news is that technical details about the vulnerability haven’t been made public and there isn’t a public proof-of-concept (PoC) exploit.
Nevertheless, users have been urged to update to a fixed version. They should also consider securing access to their Plex control panel and their accounts as much as possible.
