Vulnerability Description
Plex has addressed an unknown security vulnerability affecting Plex Media Server versions 1.41.7.x to 1.42.0.x that was discovered through their bug bounty program. The company has released an updated version (1.42.1.10060 or later) that resolves the security issue and is strongly recommending all users update their Plex Media Servers immediately.
The patch is available through the standard server management interface or can be downloaded directly from Plex’s official downloads page, and users running affected versions are being directly notified to ensure timely remediation of this security concern.
Censys Perspective
At the time of writing, Censys observed 428,083 devices exposing the Plex Media Server web interface. While version information is available for most hosts, not all of the exposures are necessarily vulnerable. The query below can be used in Censys Platform to identify Plex Media Servers exposing a vulnerable version.
web.endpoints.plex_media_server.version=~"^1.(41.([7-9]|[1-9][0-9])|42.0)."
The queries below can help identify any devices exposing the Plex Media Server login portal, but they are not necessarily vulnerable.
web.software: (vendor:"Plex" and product:"Media Server")host.services.software: (vendor="Plex" and product="Media Server") or web_entity.instances.software: (vendor="Plex" and product="Media Server")services.software: (vendor="Plex" and product="Media Server")