LastPass Suffers Second Attack After Failing to Update Plex
March 7, 2023
LastPass, a password management software firm, recently disclosed a “second attack” that was caused by the failure to update Plex on the home computer of one of its engineers. The attackers exploited a flaw in a third-party media software package, tracked as CVE-2020-5741 (CVSS score: 7.2), to target the firm. The hackers installed a keylogger on the DevOp engineer’s computer and captured his master password.
According to the advisory published by Plex, “This issue allowed an attacker with access to the server administrator’s Plex account to upload a malicious file via the Camera Upload feature and have the media server execute it. This could be done by setting the server data directory to overlap with the content location for a library on which Camera Upload was enabled.” The incident demonstrates the importance of patch management, as the LastPass employee had never installed security updates provided by the software vendor. As stated by Plex, “This issue could not be exploited without first gaining access to the server’s Plex account. This issue has been assigned CVE-2020-5741 3.”
Latest News
- Surge in ICS Attacks Linked to Bitrix CMS Vulnerability
- Ongoing Exploitation of Critical Vulnerabilities in VMware Cloud Foundation and NSX-V
- Microsoft Word Vulnerability CVE-2023-21716 Exploitable
- Wago Patches Critical Vulnerabilities in PLCs
- Hatch Bank Reports Data Breach After Hackers Exploit Vulnerability
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.