CVE-2025-34158 (CVSS 10): Plex Media Server Users Warned to Patch Critical Vulnerability Now

Plex Media Server (PMS) users are being urged to update their systems immediately after the discovery of a critical security vulnerability, now tracked as CVE-2025-34158, which has been assigned the maximum CVSS score of 10.0. The flaw impacts Plex Media Server versions 1.41.7.x through 1.42.0.x and has already been patched in the newly released version 1.42.1.

Although Plex has not disclosed technical details about the bug, the company confirmed it was reported responsibly via its bug bounty program. In a statement, Plex explained:

“We recently received a report via our bug bounty program that there was a potential security issue affecting Plex Media Server versions 1.41.7.x to 1.42.0.x. Thanks to that user, we were able to address the issue, release an updated version of the server, and continue to improve our security and defenses.”

While the precise attack vectors remain undisclosed, the CVSS 10 rating underscores the severity of the issue. According to Plex, the flaw could potentially compromise system integrity, confidentiality, or availability, making it a significant threat if left unpatched.

The patched release, Plex Media Server 1.42.1.10060, is now available through both the server management page and Plex’s official downloads page. Users still running vulnerable versions are strongly encouraged to upgrade as soon as possible.

Security experts caution that even in the absence of public exploit details, adversaries may reverse engineer the patch to uncover and weaponize the vulnerability. This makes immediate patching critical to reduce the risk of exploitation.

Related Posts:

• Asustor NAS devices were hit by Deadbolt ransomware
• Chrome Update Alert: Two High-Severity Flaws Patched – Update Now to Stay Safe!
• India plans to require e-commerce, social media companies such as Google Facebook to store data locally
• Americans have lost more than $2.7 billion to social media scams since 2021

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Do Son

Do Son (aka Ddos) is a seasoned news reporter, bringing over a decade of expertise to the forefront of cyber security and technology reporting. My work provides timely and insightful analysis of emerging trends and critical developments in these rapidly evolving sectors.