Back to KEVs

CVE-2020-5741

Deserialization of Untrusted Data in Plex Media Server on Windows allows a remote, authenticated attacker to execute arbitrary Python code.

Basic Information

CVE State
PUBLISHED
Reserved Date
January 06, 2020
Published Date
May 08, 2020
Last Updated
February 06, 2025
Vendor
n/a
Product
Plex Media Server (Windows)
Description
Deserialization of Untrusted Data in Plex Media Server on Windows allows a remote, authenticated attacker to execute arbitrary Python code.

CVSS Scores

CVSS v3.1

7.2 - HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

SSVC Information

Exploitation
active
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (added 2023-03-10 00:00:00 UTC) Source

References

https://www.tenable.com/security/research/tra-2020-32 http://packetstormsecurity.com/files/158470/Plex-Unpickle-Dict-Windows-Remote-Code-Execution.html

Known Exploited Vulnerability Information

Source Added Date
CISA 2023-03-10 00:00:00 UTC

Scanner Integrations

Scanner URL Date Detected
Metasploit https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/plex_unpickle_dict_rce.rb 2025-04-29 11:01:39 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

plex_unpickle_dict_rce

Type: metasploit • Created: Unknown

Metasploit module for CVE-2020-5741