Cyber Resilience

CVE-2020-5741

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 08 May 2020

Published
08 May 2020
Modified
31 October 2025
KEV Added
10 March 2023
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3522 97.1th percentile
Risk Priority 56 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-5741 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Plex Media Server. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 2.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2020-5741 is a deserialization of untrusted data vulnerability, tracked under CWE-502, that affects Plex Media Server running on Windows. The flaw permits remote code execution through unsafe handling of serialized Python objects, as reflected in its CVSS 3.1 score of 7.2 with network attack vector, low complexity, and high impact on confidentiality, integrity, and availability.

A remote attacker who already possesses valid authenticated credentials can supply a malicious serialized object to the server, resulting in arbitrary Python code execution on the Windows host. The attack requires no user interaction and can fully compromise the affected system.

The vulnerability appears in CISA's catalog of known exploited vulnerabilities and has public exploit code referenced in Tenable research advisory TRA-2020-32 along with Packet Storm disclosures, confirming active interest from attackers. No specific patch or configuration guidance is detailed in the provided references.

EU & UK References

Vulnerability details

Deserialization of Untrusted Data in Plex Media Server on Windows allows a remote, authenticated attacker to execute arbitrary Python code.

CWE(s)
KEV Date Added
10 March 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

plex
media server
≤ 1.19.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted serialized Python objects before deserialization, blocking the CWE-502 vector used by authenticated attackers to achieve RCE.

preventdetect

Enforces integrity checks on software and data to detect or reject malicious serialized objects that would otherwise execute arbitrary code on the Plex server.

prevent

Limits privileges of authenticated Plex service accounts so that successful deserialization-based code execution cannot fully compromise the Windows host.

References