← back
CVE-2020-5741

CVE-2020-5741

CVSS 7.2 HIGHEPSS 72.9%● KEVCWE-502
In short

Plex Media Server on Windows has a flaw that allows authenticated users to run malicious Python code by sending specially crafted data. This is dangerous because attackers with valid credentials can take full control of the server.

Technical detail

CWE-502 unsafe deserialization vulnerability in Plex Media Server (Windows) enables remote code execution through untrusted serialized data. An authenticated attacker can craft malicious input that executes arbitrary Python code with server privileges, bypassing the authentication requirement for code execution itself.

Summary generated and translated by AI from the official description.
Deserialization of Untrusted Data in Plex Media Server on Windows allows a remote, authenticated attacker to execute arbitrary Python code.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · Plex Media Server (Windows)
public PoCs found1
cve_referencepacketstormsecurity.com/files/158470/Plex-Unpickle-Dict-Windows-Remote-Code-Execution.htmlunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/158470/Plex-Unpickle-Dict-Windows-Remote-Code-Execution.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-5741https://www.tenable.com/security/research/tra-2020-32