CVE-2025-58762
📋 TL;DR
This vulnerability allows attackers with administrative access to Tautulli to write arbitrary Python scripts to the filesystem and execute them, leading to remote code execution. It affects Tautulli v2.15.3 and earlier. Attackers can achieve this by controlling the Plex Media Server URL and exploiting unsanitized parameters in the pms_image_proxy endpoint.
💻 Affected Systems
- Tautulli
📦 What is this software?
Tautulli by Tautulli
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of the Tautulli server with attacker gaining complete control over the system, potentially leading to data theft, lateral movement, or persistence mechanisms.
Likely Case
Attackers with administrative credentials can execute arbitrary code on the Tautulli server, potentially compromising the entire application and underlying system.
If Mitigated
With proper access controls and network segmentation, impact is limited to the Tautulli application itself, though code execution remains possible.
🎯 Exploit Status
Exploitation requires administrative credentials but is straightforward once obtained
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2.16.0
Vendor Advisory: https://github.com/Tautulli/Tautulli/security/advisories/GHSA-pxhr-29gv-4j8v
Restart Required: Yes
Instructions:
1. Backup current Tautulli configuration. 2. Stop Tautulli service. 3. Update to v2.16.0 via package manager or manual installation. 4. Restart Tautulli service. 5. Verify version is now 2.16.0 or higher.
🔧 Temporary Workarounds
Restrict administrative access
allLimit administrative access to Tautulli interface to trusted users only
Network segmentation
allIsolate Tautulli server from critical systems and limit outbound connections
🧯 If You Can't Patch
- Implement strict access controls for Tautulli administrative interface
- Monitor for suspicious file writes in Tautulli application directories
🔍 How to Verify
Check if Vulnerable:
Check Tautulli version in web interface or via command line: grep 'version' /path/to/tautulli/config.iniCheck Version:
grep 'version' /path/to/tautulli/config.iniVerify Fix Applied:
Confirm version is 2.16.0 or higher in Tautulli web interface or configuration file📡 Detection & Monitoring
Log Indicators:
- Unusual pms_image_proxy requests with path traversal characters
- File writes to unexpected locations in Tautulli directories
- Script notification agent executing unfamiliar scripts
Network Indicators:
- Outbound connections from Tautulli to unfamiliar PMS servers
- Unusual HTTP requests to pms_image_proxy endpoint
SIEM Query:
source="tautulli" AND (uri="/pms_image_proxy" AND (img_format CONTAINS ".." OR img_format CONTAINS "/"))