CVE-2020-5741
Published: 08 May 2020
Summary
CVE-2020-5741 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Plex Media Server. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 2.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2020-5741 is a deserialization of untrusted data vulnerability, tracked under CWE-502, that affects Plex Media Server running on Windows. The flaw permits remote code execution through unsafe handling of serialized Python objects, as reflected in its CVSS 3.1 score of 7.2 with network attack vector, low complexity, and high impact on confidentiality, integrity, and availability.
A remote attacker who already possesses valid authenticated credentials can supply a malicious serialized object to the server, resulting in arbitrary Python code execution on the Windows host. The attack requires no user interaction and can fully compromise the affected system.
The vulnerability appears in CISA's catalog of known exploited vulnerabilities and has public exploit code referenced in Tenable research advisory TRA-2020-32 along with Packet Storm disclosures, confirming active interest from attackers. No specific patch or configuration guidance is detailed in the provided references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-26900
Vulnerability details
Deserialization of Untrusted Data in Plex Media Server on Windows allows a remote, authenticated attacker to execute arbitrary Python code.
- CWE(s)
- KEV Date Added
- 10 March 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of untrusted serialized Python objects before deserialization, blocking the CWE-502 vector used by authenticated attackers to achieve RCE.
Enforces integrity checks on software and data to detect or reject malicious serialized objects that would otherwise execute arbitrary code on the Plex server.
Limits privileges of authenticated Plex service accounts so that successful deserialization-based code execution cannot fully compromise the Windows host.