Over 300,000 Plex Media Server installations remain susceptible to exploitation due to CVE-2025-34158

Over 300,000 internet-facing Plex Media Server instances remain vulnerable to the critical CVE-2025-34158, despite a fix being issued earlier this month. Plex Media Server (PMS) allows users to transform their Windows, Linux, or macOS computers, as well as network-attached storage devices, into personal media servers. This software organises movies, music, photos, and other media, enabling streaming on various devices. CVE-2025-34158 is an improper input validation vulnerability affecting PMS versions 1.41.7.x to 1.42.0.x, with a CVSS score indicating it can be exploited remotely without user interaction or authentication. The flaw poses significant risks, including potential loss of confidentiality, integrity, and availability, allowing attackers to access, corrupt, or disable private data.

Following the release of the security update, Plex took the proactive step of emailing users to encourage upgrades to version 1.42.1.10060 or later. However, many users have yet to act on this advice. Censys recently reported that 428,083 devices, primarily in the US and Europe, expose the Plex Media Server web interface to the internet. As of August 25, at least 314,000 instances were still running vulnerable versions. Previous vulnerabilities in Plex Media Server have been exploited, as evidenced by the August 2022 LastPass breach. While technical details about CVE-2025-34158 remain undisclosed, users are strongly urged to update their servers and secure access to their Plex control panels and accounts.