Cyber Resilience

CVE-2025-69415

HighPublic PoC

Published: 02 January 2026

Published
02 January 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
EPSS Score 0.0002 6.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-69415 is a high-severity Operation on a Resource after Expiration or Release (CWE-672) vulnerability in Plex Media Server. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-69415 affects Plex Media Server (PMS) through version 1.42.2.10156, where the ability to access the /myplex/account endpoint using a device token is not properly restricted based on whether the device is currently associated with an account. This represents an access control misalignment, classified under CWE-672 (operation on a resource after expiration or release). The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N), indicating high confidentiality impact with low integrity impact and no availability impact, in a changed scope scenario.

A low-privileged attacker (PR:L) with network access (AV:N) can exploit this issue, though it requires high attack complexity (AC:H) and no user interaction (UI:N). By leveraging a device token, the attacker can reach the /myplex/account endpoint even if the device is not actively associated with an account, potentially obtaining sensitive account information and achieving high confidentiality impact, with limited integrity modification possible.

For mitigation details, refer to the advisory at https://github.com/lufinkey/vulnerability-research/blob/main/CVE-2025-34158/README.md.

EU & UK References

Vulnerability details

In Plex Media Server (PMS) through 1.42.2.10156, ability to access /myplex/account with a device token is not properly aligned with whether the device is currently associated with an account.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct network-accessible access control bypass in public-facing Plex Media Server endpoint enables exploitation for unauthorized account data access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-69414Same product: Plex Media Server
CVE-2024-47571Shared CWE-672
CVE-2026-33278Shared CWE-672
CVE-2024-57929Shared CWE-672
CVE-2013-10075Shared CWE-672
CVE-2026-43585Shared CWE-672
CVE-2026-31875Shared CWE-672
CVE-2026-30978Shared CWE-672

Affected Assets

plex
media server
≤ 1.42.2.10156

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization decisions so that a device token may only access /myplex/account when the device is currently associated with an account.

prevent

Limits the privileges granted to a device token to only those permitted while the device remains actively associated, preventing the over-privileged access described in the CVE.

prevent

Requires the system to verify that a device remains properly identified and authorized (i.e., still associated) before allowing continued use of its token to reach account endpoints.

References