Cyber Resilience

CVE-2025-69414

HighPublic PoC

Published: 02 January 2026

Published
02 January 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v3.1 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
EPSS Score 0.0021 11.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-69414 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Plex Media Server. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-69414 is a vulnerability in Plex Media Server (PMS) through version 1.42.2.10156 that enables the retrieval of a permanent access token via a /myplex/account API call when supplied with a transient access token. This issue, associated with CWE-863 (Incorrect Authorization), has a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N), indicating high severity due to network accessibility, low complexity, and significant confidentiality impact across a changed scope.

A low-privileged authenticated attacker with network access to the Plex Media Server can exploit this vulnerability without user interaction. By using a transient access token in the specified API call, the attacker can obtain a permanent access token, potentially granting persistent unauthorized access to the victim's Plex account and associated media resources, with high confidentiality impact and limited integrity modification.

Mitigation details are available in the referenced advisory at https://github.com/lufinkey/vulnerability-research/blob/main/CVE-2025-34158/README.md.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Plex Media Server (PMS) through 1.42.2.10156 allows retrieval of a permanent access token via a /myplex/account call with a transient access token.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1528 Steal Application Access Token Credential Access
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
Why these techniques?

Vulnerability is an authorization bypass in a public-facing Plex API allowing direct retrieval of a permanent application access token from a transient one, enabling exploitation of the server and theft/use of the resulting token for persistent access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-69415Same product: Plex Media Server
CVE-2026-30965Shared CWE-863
CVE-2026-28513Shared CWE-863
CVE-2026-33461Shared CWE-863
CVE-2026-32924Shared CWE-863
CVE-2026-23837Shared CWE-863
CVE-2020-36948Shared CWE-863
CVE-2026-29087Shared CWE-863
CVE-2026-30947Shared CWE-863
CVE-2024-13291Shared CWE-863

Affected Assets

plex
media server
≤ 1.42.2.10156

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 enforces approved authorizations on API endpoints, directly preventing transient access tokens from retrieving permanent ones due to incorrect authorization.

prevent

IA-5 manages authenticators including transient and permanent tokens, mitigating unauthorized token upgrades by enforcing proper lifecycle controls.

prevent

AC-6 applies least privilege to limit low-privileged authenticated users from escalating access via vulnerable token retrieval APIs.

References