CVE-2025-69415

HighPublic PoC

Published: 02 January 2026

Published

02 January 2026

Modified

27 February 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N

EPSS Score 0.0002 6.7th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-69415 is a high-severity Operation on a Resource after Expiration or Release (CWE-672) vulnerability in Plex Media Server. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190).

Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Direct network-accessible access control bypass in public-facing Plex Media Server endpoint enables exploitation for unauthorized account data access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In Plex Media Server (PMS) through 1.42.2.10156, ability to access /myplex/account with a device token is not properly aligned with whether the device is currently associated with an account.

Deeper analysisAI

CVE-2025-69415 affects Plex Media Server (PMS) through version 1.42.2.10156, where the ability to access the /myplex/account endpoint using a device token is not properly restricted based on whether the device is currently associated with an account. This represents an access control misalignment, classified under CWE-672 (operation on a resource after expiration or release). The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N), indicating high confidentiality impact with low integrity impact and no availability impact, in a changed scope scenario.

A low-privileged attacker (PR:L) with network access (AV:N) can exploit this issue, though it requires high attack complexity (AC:H) and no user interaction (UI:N). By leveraging a device token, the attacker can reach the /myplex/account endpoint even if the device is not actively associated with an account, potentially obtaining sensitive account information and achieving high confidentiality impact, with limited integrity modification possible.

For mitigation details, refer to the advisory at https://github.com/lufinkey/vulnerability-research/blob/main/CVE-2025-34158/README.md.

Details

CWE(s): CWE-672

Affected Products

plex

media server

≤ 1.42.2.10156

CVEs Like This One

CVE-2025-69414Same product: Plex Media Server

CVE-2013-10075Shared CWE-672

CVE-2026-43585Shared CWE-672

CVE-2024-47571Shared CWE-672

CVE-2024-57929Shared CWE-672

CVE-2026-30978Shared CWE-672

References

https://github.com/lufinkey/vulnerability-research/blob/main/CVE-2025-34158/README.md
Exploit, Third Party Advisory · cve@mitre.org