A critical vulnerability has been identified in Tautulli, a monitoring tool for Plex Media Server. This flaw allows an attacker who has already gained administrative access to the Tautulli interface to write arbitrary files to the underlying server. Successful exploitation could lead to complete system compromise, allowing the attacker to execute malicious code and take full control of the host machine.

The vulnerability exists within the pms_image_proxy endpoint, which fails to properly sanitize user-supplied input for file paths. An authenticated attacker with administrative privileges can craft a malicious request to this endpoint, using path traversal sequences (e.g., ../) to navigate outside of the intended directory. This allows the attacker to write an arbitrary file, such as a web shell or malicious script, to any location on the server's filesystem where the Tautulli process has write permissions, leading to remote code execution (RCE).

This vulnerability is rated as critical severity with a CVSS score of 9.1. Although exploitation requires administrative credentials, the post-authentication impact is severe. A successful attack could result in a complete loss of confidentiality, integrity, and availability of the affected server. Potential consequences include theft of sensitive data from the server, disruption of media services, and the use of the compromised system as a pivot point to launch further attacks against the internal network. The reputational damage and the cost of incident response and recovery present significant business risks.

Immediate Action: Update Tautulli is a Python based monitoring andtracking tool for Plex Media Multiple Products to the latest version. The vendor has released a patched version that addresses this vulnerability; administrators should upgrade to a version later than v2.15.3 immediately. After patching, monitor for exploitation attempts and review access logs for any signs of compromise prior to the update.

Proactive Monitoring: Security teams should monitor web server and application logs for suspicious requests to the /pms_image_proxy endpoint, specifically looking for path traversal characters (../, ..\) or unusual file names/paths in the request parameters. Monitor filesystem integrity for unexpected file creation or modification in sensitive system directories or the web root. An EDR solution can help detect anomalous process execution originating from the Tautulli service.

Compensating Controls: If immediate patching is not feasible, implement the following controls:

• Restrict network access to the Tautulli administrative interface to only trusted IP addresses and authorized personnel.
• Place the Tautulli instance behind a Web Application Firewall (WAF) with rules configured to block path traversal attacks.
• Ensure the Tautulli service runs as a low-privilege user to limit the potential impact of an arbitrary file write.

Public Exploit Available: false

Due to the critical severity (CVSS 9.1) of this vulnerability, we strongly recommend that all organizations running affected versions of Tautulli apply the vendor-supplied patch immediately. The prerequisite of administrative access should not be seen as a significant mitigating factor, as credentials can be compromised through various methods. Although this vulnerability is not currently listed in the CISA KEV catalog, its potential for complete system compromise warrants urgent attention. Prioritize this patch to prevent potential data breaches and unauthorized access to your network infrastructure.