Hello,
We have recently been made aware of a security vulnerability related to our Windows Updater Service that could allow a non-administrator user to execute binaries on the local system as administrator. This service is used to install updates of Plex Media Server in the background. There are no indications that this exploit could be used from a remote machine; any attacker would already need local access to the Windows computer. This issue has been assigned CVE-2020-5740.
We have rolled out a change in our update distribution servers. This change will protect Plex Media Server version 1.18.2 or newer. Plex Media Server installations older than 1.18.2 will still be exploitable and we highly encourage users on older releases to upgrade. Additionally, Plex Media Server versions 1.19.1.2701 & 1.19.2.2702 (and newer) features additional hardening in the updater infrastructure to protect against future vulnerabilities. We recommended for all users to update to one of these releases.
Thanks,
Plex Security Team
