300k+ Plex Media Server instances still vulnerable to attack via CVE-2025-34158
Over 300,000 internet-facing Plex Media Server instances are still vulnerable to attack via CVE-2025-34158, a critical vulnerability for which Plex has issued a fix earlier this month, Censys has warned.
About CVE-2025-34158
Plex Media Server (PMS) is software that allows users to turn their Windows/Linux/macOS computer or their network-attached storage devices into a personal media server. It organizes their movies, music, photos, and other media and enables them to stream the content on nearly any device.
CVE-2025-34158 is an improper input validation vulnerability that affects PMS versions 1.41.7.x to 1.42.0.x, and has been fixed in version 1.42.1.
The flaw’s CVSS score is the highest possible, and tells us that it can be exploited remotely over the internet, without user interaction or attackers having to authenticate first.
The vulnerability is apparently easy to exploit, and could result in a total loss of confidentiality, integrity, and availability. This means that attackers may access private data through it, corrupt it, or making it unavailable for use by crashing or disabling the Plex server.
Upgrade your Plex Media Server
A few days after the security update was released, Plex took the unusual (but not unheard of) step of contacting users via email to urge them to upgrade to Plex Media Server version 1.42.1.10060 or later to fix the issue. Unfortunately, it seems that too many users haven’t felt the need to do it.
Last Friday, Censys flagged 428,083 devices – predominantly located in the US and Europe – exposing the Plex Media Server web interface / login portal to the internet.
“As of Monday, August 25, Censys observes at least 314k instances of the Plex web interface that appear to be running versions 1.41.7.x to 1.42.0.x,” the Censys research team told Help Net Security.
Plex Media Server vulnerabilities have been occasionally exploited by attackers.
Notably, the August 2022 LastPass breach was made possible by attackers putting malware on a LastPass employee’s home computer, after compromising it through a Plex Media Server vulnerability (CVE-2020-5741). This incident proved that compromised Plex installations can also be used as attack footholds.
The good news is that technical details about the vulnerability haven’t been made public and there isn’t a public proof-of-concept (PoC) exploit.
Nevertheless, users have been urged to update to a fixed version. They should also consider securing access to their Plex control panel and their accounts as much as possible.
UPDATE (September 4, 2025, 11:00 a.m. ET):
The CVSS base score for CVE-2025-34158 has been lowered by Mitre after input from the researcher who unearthed the flaw. It now stands at 8.5, and the new vector string indicates that the flaw is remotely exploitable without user interaction, but attackers have to authenicate first with a low-privileged account before deploying the exploit.
The flaw is due to Plex Media Server not properly transfering/importing a resource/behavior to/from another sphere, “in a manner that provides unintended control over that resource.”
The researcher stated that more details about the flaw will be provided in late 2025 or later, depending on whether enough users have upgraded to a fixed version.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!