CVE-2025-34158
Plex Media Server (PMS) 1.41.7.x - 1.42.0.x Unspecified Vulnerabiliity
Description
Plex Media Server (PMS) 1.41.7.x through 1.42.0.x before 1.42.1 is affected by incorrect resource transfer between spheres.
INFO
Published Date :
Aug. 21, 2025, 2:15 p.m.
Last Modified :
Aug. 28, 2025, 5:15 a.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | HIGH | [email protected] | ||||
| CVSS 3.1 | MEDIUM | [email protected] | ||||
| CVSS 3.1 | HIGH | [email protected] | ||||
| CVSS 4.0 | CRITICAL | [email protected] |
Solution
- Upgrade Plex Media Server to version 1.42.1 or later.
- Apply any subsequent security patches released by Plex.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-34158.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-34158 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-34158
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-34158 vulnerability anywhere in the article.
-
Help Net Security
Plex tells users to change passwords due to data breach, pushes server owners to upgrade
Media streaming company Plex has suffered a data breach and is urging users to reset their account password and enable two-factor authentication. “An unauthorized third party accessed a limited subset ... Read more
-
The Hacker News
⚡ Weekly Recap: WhatsApp 0-Day, Docker Bug, Salesforce Breach, Fake CAPTCHAs, Spyware App & More
Cybersecurity today is less about single attacks and more about chains of small weaknesses that connect into big risks. One overlooked update, one misused account, or one hidden tool in the wrong hand ... Read more
-
Help Net Security
Week in review: 300k+ Plex Media Server instances still vulnerable to attack, exploited Git RCE flaw
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: 300k+ Plex Media Server instances still vulnerable to attack via CVE-2025-34158 Over 300,000 internet- ... Read more
-
Help Net Security
300k+ Plex Media Server instances still vulnerable to attack via CVE-2025-34158
Over 300,000 internet-facing Plex Media Server instances are still vulnerable to attack via CVE-2025-34158, a critical vulnerability for which Plex has issued a fix for earlier this month, Censys has ... Read more
-
Daily CyberSecurity
CVE-2025-34158 (CVSS 10): Plex Media Server Users Warned to Patch Critical Vulnerability Now
Plex Media Server (PMS) users are being urged to update their systems immediately after the discovery of a critical security vulnerability, now tracked as CVE-2025-34158, which has been assigned the m ... Read more
-
Daily CyberSecurity
CVE-2025-55746: Critical Directus Flaw Exposes Servers to Unauthenticated File Upload and RCE
The Directus project has disclosed a critical vulnerability tracked as CVE-2025-55746 (CVSS 9.3) that could allow unauthenticated attackers to upload or modify files on vulnerable servers. Directus, a ... Read more
The following table lists the changes that have been made to the
CVE-2025-34158 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by [email protected]
Aug. 28, 2025
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N Removed CVSS V3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N -
CVE Modified by [email protected]
Aug. 28, 2025
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N Removed CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N -
CVE Modified by [email protected]
Aug. 28, 2025
Action Type Old Value New Value Changed Description Plex Media Server (PMS) versions 1.41.7.x through 1.42.0.x are affected by an unspecified security vulnerability reported via Plex’s bug bounty program. While technical details have not been publicly disclosed, the issue was acknowledged by the vendor and resolved in version 1.42.1. The vulnerability may pose a risk to system integrity, confidentiality, or availability, prompting a strong recommendation for all users to upgrade immediately. Plex Media Server (PMS) 1.41.7.x through 1.42.0.x before 1.42.1 is affected by incorrect resource transfer between spheres. Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N Added CWE CWE-669 Added Reference https://forums.plex.tv/t/plex-media-server-security-update/928341 Added Reference https://github.com/lufinkey/vulnerability-research/tree/main/CVE-2025-34158 Added Reference https://www.bleepingcomputer.com/news/security/plex-warns-users-to-patch-security-vulnerability-immediately/ Added Reference https://www.plex.tv/media-server-downloads/ Added Reference https://www.runzero.com/blog/plex/ Added Reference https://www.tenable.com/plugins/nessus/250294 Added Reference https://www.vulncheck.com/advisories/plex-media-server-unspecified -
CVE Modified by [email protected]
Aug. 21, 2025
Action Type Old Value New Value Changed Description Plex Media Server (PMS) versions 1.41.7.x through 1.42.0.x are affected by an unspecified security vulnerability reported via Plex’s bug bounty program. While technical details have not been publicly disclosed, the issue was acknowledged by the vendor and resolved in version 1.42.1. The vulnerability may have posed a risk to system integrity, confidentiality, or availability, prompting a strong recommendation for all users to upgrade immediately. Plex Media Server (PMS) versions 1.41.7.x through 1.42.0.x are affected by an unspecified security vulnerability reported via Plex’s bug bounty program. While technical details have not been publicly disclosed, the issue was acknowledged by the vendor and resolved in version 1.42.1. The vulnerability may pose a risk to system integrity, confidentiality, or availability, prompting a strong recommendation for all users to upgrade immediately. Added Reference https://www.vulncheck.com/advisories/plex-media-server-unspecified -
New CVE Received by [email protected]
Aug. 21, 2025
Action Type Old Value New Value Added Description Plex Media Server (PMS) versions 1.41.7.x through 1.42.0.x are affected by an unspecified security vulnerability reported via Plex’s bug bounty program. While technical details have not been publicly disclosed, the issue was acknowledged by the vendor and resolved in version 1.42.1. The vulnerability may have posed a risk to system integrity, confidentiality, or availability, prompting a strong recommendation for all users to upgrade immediately. Added CVSS V4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Added CWE CWE-20 Added Reference https://forums.plex.tv/t/plex-media-server-security-update/928341 Added Reference https://www.bleepingcomputer.com/news/security/plex-warns-users-to-patch-security-vulnerability-immediately/ Added Reference https://www.plex.tv/media-server-downloads/ Added Reference https://www.runzero.com/blog/plex/ Added Reference https://www.tenable.com/plugins/nessus/250294