
In light of the recent LastPass breach, it is important to remind people of the dangers of not keeping their software up-to-date. LastPass revealed that the breach was a result of one of their engineers failing to update Plex on their home computer.
The attack specifically targeted one of their DevOps engineers and was able to obtain the credentials and breach the cloud storage environment. This was made possible by exploiting a nearly three-year-old now-patched flaw in Plex.
The vulnerability in question is CVE-2020-5741, a deserialization flaw impacting Plex Media Server on Windows that allows a remote, authenticated attacker to execute arbitrary Python code in the context of the current operating system user.