CVE-2025-69415
Published: 02 January 2026
Summary
CVE-2025-69415 is a high-severity Operation on a Resource after Expiration or Release (CWE-672) vulnerability in Plex Media Server. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-69415 affects Plex Media Server (PMS) through version 1.42.2.10156, where the ability to access the /myplex/account endpoint using a device token is not properly restricted based on whether the device is currently associated with an account. This represents an access control misalignment, classified under CWE-672 (operation on a resource after expiration or release). The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N), indicating high confidentiality impact with low integrity impact and no availability impact, in a changed scope scenario.
A low-privileged attacker (PR:L) with network access (AV:N) can exploit this issue, though it requires high attack complexity (AC:H) and no user interaction (UI:N). By leveraging a device token, the attacker can reach the /myplex/account endpoint even if the device is not actively associated with an account, potentially obtaining sensitive account information and achieving high confidentiality impact, with limited integrity modification possible.
For mitigation details, refer to the advisory at https://github.com/lufinkey/vulnerability-research/blob/main/CVE-2025-34158/README.md.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-0039
Vulnerability details
In Plex Media Server (PMS) through 1.42.2.10156, ability to access /myplex/account with a device token is not properly aligned with whether the device is currently associated with an account.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct network-accessible access control bypass in public-facing Plex Media Server endpoint enables exploitation for unauthorized account data access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization decisions so that a device token may only access /myplex/account when the device is currently associated with an account.
Limits the privileges granted to a device token to only those permitted while the device remains actively associated, preventing the over-privileged access described in the CVE.
Requires the system to verify that a device remains properly identified and authorized (i.e., still associated) before allowing continued use of its token to reach account endpoints.