CVE-2025-69414

HighPublic PoC

Published: 02 January 2026

Published

02 January 2026

Modified

27 February 2026

KEV Added

—

Patch

—

CVSS Score 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

EPSS Score 0.0005 16.0th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-69414 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Plex Media Server. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

AC-3 enforces approved authorizations on API endpoints, directly preventing transient access tokens from retrieving permanent ones due to incorrect authorization.

IA-5 Authenticator Management partial match

prevent

IA-5 manages authenticators including transient and permanent tokens, mitigating unauthorized token upgrades by enforcing proper lifecycle controls.

AC-6 Least Privilege partial match

prevent

AC-6 applies least privilege to limit low-privileged authenticated users from escalating access via vulnerable token retrieval APIs.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1528 Steal Application Access Token Credential Access

Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.

attack.mitre.org →

Why these techniques?

Vulnerability is an authorization bypass in a public-facing Plex API allowing direct retrieval of a permanent application access token from a transient one, enabling exploitation of the server and theft/use of the resulting token for persistent access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Plex Media Server (PMS) through 1.42.2.10156 allows retrieval of a permanent access token via a /myplex/account call with a transient access token.

Deeper analysisAI

CVE-2025-69414 is a vulnerability in Plex Media Server (PMS) through version 1.42.2.10156 that enables the retrieval of a permanent access token via a /myplex/account API call when supplied with a transient access token. This issue, associated with CWE-863 (Incorrect Authorization), has a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N), indicating high severity due to network accessibility, low complexity, and significant confidentiality impact across a changed scope.

A low-privileged authenticated attacker with network access to the Plex Media Server can exploit this vulnerability without user interaction. By using a transient access token in the specified API call, the attacker can obtain a permanent access token, potentially granting persistent unauthorized access to the victim's Plex account and associated media resources, with high confidentiality impact and limited integrity modification.

Mitigation details are available in the referenced advisory at https://github.com/lufinkey/vulnerability-research/blob/main/CVE-2025-34158/README.md.