**The Growing Threat of Exploited Vulnerabilities: A Case Study on LastPass and Plex Media Server**
In a recent discussion on the TWiT podcast, host discussed the rapid growth of the Cybersecurity and Infrastructure Security Agency (CISA)'s Known Exploited Vulnerabilities (KEV) database. While the database saw significant expansion last year compared to previous years, an analysis revealed that most of the newly added CVEs (Common Vulnerability Exposures) were not new exploits but rather old vulnerabilities that had remained unpatched for years.
One notable example highlighted was **CVE-2020-5741**, a deserialization flaw in untrusted data identified three years prior in the Plex Media Server for Windows. Despite being publicly known and patched, it appears that some users, including an unfortunate LastPass developer, were still running outdated, unpatched versions of Plex Media Server on their systems.
This led to a security incident where attackers exploited this vulnerability to execute arbitrary Python code remotely and unauthenticatedly on the victim's computer. The attack targeted LastPass developers, likely using the first wave of the attack to identify and track down specific individuals. By scanning home IP addresses and identifying open Port 32400, which was commonly associated with Plex Media Server, attackers were able to query their master exploit database for known vulnerabilities in Plex.
In this case, **CVE-2020-5741** stood out as a three-year-old, remotely exploitable vulnerability. The attackers likely thought, "Could we be this lucky?" And indeed, they were. With just basic knowledge of Python, the attackers were able to exploit this vulnerability and gain unauthorized access to sensitive systems.
The discussion also touched on the possibility that North Korea may have been involved in the attack, given the highly targeted nature of the exploit. The fact that the attackers knew exactly what they wanted—presumably the vaults containing LastPass user data—highlighted the sophistication and intent behind the attack. This incident serves as a stark reminder of the risks posed by unpatched vulnerabilities and the lengths to which adversaries may go to exploit them.
As a result of this breach, many users have moved away from using LastPass for their password management needs. The episode concluded with a call to switch to Linux, the operating system that powers the internet, gaming consoles, smartphones, and even the machine on your desk. While you might already know about Linux's prevalence, there’s much more to discover about its capabilities and benefits.
For those interested in diving deeper into the world of Linux, the hosts encouraged listeners to join **The Untitled Linux Show**, a Club TWiT exclusive series dedicated to exploring all things Linux. Whether you're a seasoned professional, an aspiring tinkerer, or simply curious, this show offers valuable news analysis and tips to enhance your Linux skills. To access the show and other exclusive content, be sure to subscribe to Club TWiT by visiting [twit.tv/Club-TWiT](https://twit.tv/Club-TWiT). If you're not already a member, now is the time to join!
---
This article provides a detailed transcription-based overview of the discussed cybersecurity incident, emphasizing the importance of patching vulnerabilities and the growing threat landscape in cyber warfare.
"WEBVTTKind: captionsLanguage: enthis is TWiT now there is no relation between Plex track and the Plex Media Server no so let's hope not clear oh no last week we were talking about the growth of cis's Kev database uh you know where Kev is the abbreviation for known exploited vulnerabilities and how while it grew much faster last year than in any previous year an examination of the dates of the cves that were added during this most recent past year revealed that the large majority of these were not new problems being exploited but rather old problems that had never been patched so I noted that sisa had just added cve 2020 5741 2020. that's three years old that's three years right and what is 5741 you might ask well it's a deserialization flaw of untrusted data which was found as we noted three years ago in the Plex Media Server for Windows but who would be who would be running three-year-old unpatched versions of Plex on their Windows machines who indeed who indeed my friend it happened that an unfortunate LastPass developer yes was doing so after which a distinct lack of Fortune was visited upon all last past users that's a good way to put it a remote unauthenticated attacker is able to execute their arbitrary python code on the victim's computer can we make it any easier only so we know now we know that this developer was using a publicly exposed Plex Media Server which was three years out of date since of course cve 2020 5741 had been found was known and had been fixed I've been saying for a while now that any serious cyber warfare agency or group across the globe must be maintaining a vulnerability and exploit database indexed by Target vendor so in the instance of this second LastPass attack lastpasses developers were identified probably with the aid of the first attack on that developer Network right then they were tracked down and identified at home and their home IP addresses were scanned when Port 32 400 was found to be accepting inbound TCP connections at one of those IPS that Port was looked up and the Plex Media Server was found to be the most common user of that port then the attackers Master vulnerability and exploit database was queried for Plex and a three-year-old remotely exploitable vulnerability stood out could we be this lucky the attackers probably thought to themselves and indeed they were and we weren't I know a little python I want to go I could take advantage of this Governor that's right and I don't know if anything was more has been learned but I did hear something about North Korea being the oh really the presumed source of the attack the thing that makes me scared it was so clearly targeted yeah and that means they knew what they wanted which is the vaults which means I presume they knew what to do with them yeah yeah which is the reason we're no longer all using LastPass yeah hey we should talk Linux it's the operating system that runs the internet bunch of game consoles cell phones and maybe even the machine on your desk if you already knew all that what you may not know is that twit now is a show dedicated to it the Untitled Linux show whether you're a Linux Pro a burgeoning assisted man or just curious what the big deal is you should join us on the club twit Discord every Saturday afternoon for news analysis and tips to sharpen your Linux skills and then make sure you subscribe to the club twit exclusive Untitled Linux show wait you're not a club twit member yet we'll go to twit.tv Club twit and sign up hope to see you there all rightthis is TWiT now there is no relation between Plex track and the Plex Media Server no so let's hope not clear oh no last week we were talking about the growth of cis's Kev database uh you know where Kev is the abbreviation for known exploited vulnerabilities and how while it grew much faster last year than in any previous year an examination of the dates of the cves that were added during this most recent past year revealed that the large majority of these were not new problems being exploited but rather old problems that had never been patched so I noted that sisa had just added cve 2020 5741 2020. that's three years old that's three years right and what is 5741 you might ask well it's a deserialization flaw of untrusted data which was found as we noted three years ago in the Plex Media Server for Windows but who would be who would be running three-year-old unpatched versions of Plex on their Windows machines who indeed who indeed my friend it happened that an unfortunate LastPass developer yes was doing so after which a distinct lack of Fortune was visited upon all last past users that's a good way to put it a remote unauthenticated attacker is able to execute their arbitrary python code on the victim's computer can we make it any easier only so we know now we know that this developer was using a publicly exposed Plex Media Server which was three years out of date since of course cve 2020 5741 had been found was known and had been fixed I've been saying for a while now that any serious cyber warfare agency or group across the globe must be maintaining a vulnerability and exploit database indexed by Target vendor so in the instance of this second LastPass attack lastpasses developers were identified probably with the aid of the first attack on that developer Network right then they were tracked down and identified at home and their home IP addresses were scanned when Port 32 400 was found to be accepting inbound TCP connections at one of those IPS that Port was looked up and the Plex Media Server was found to be the most common user of that port then the attackers Master vulnerability and exploit database was queried for Plex and a three-year-old remotely exploitable vulnerability stood out could we be this lucky the attackers probably thought to themselves and indeed they were and we weren't I know a little python I want to go I could take advantage of this Governor that's right and I don't know if anything was more has been learned but I did hear something about North Korea being the oh really the presumed source of the attack the thing that makes me scared it was so clearly targeted yeah and that means they knew what they wanted which is the vaults which means I presume they knew what to do with them yeah yeah which is the reason we're no longer all using LastPass yeah hey we should talk Linux it's the operating system that runs the internet bunch of game consoles cell phones and maybe even the machine on your desk if you already knew all that what you may not know is that twit now is a show dedicated to it the Untitled Linux show whether you're a Linux Pro a burgeoning assisted man or just curious what the big deal is you should join us on the club twit Discord every Saturday afternoon for news analysis and tips to sharpen your Linux skills and then make sure you subscribe to the club twit exclusive Untitled Linux show wait you're not a club twit member yet we'll go to twit.tv Club twit and sign up hope to see you there all right\n"
