Plex Media Server, LastPass, and Why Your RMM Still Misses the Breach Vector

What Actually Happened at LastPass

The LastPass breach of 2022 has been extensively analyzed, but one detail doesn't get enough attention: the initial point of compromise was not a corporate system. It was the personal home computer of a senior engineer who happened to have access to decryption keys for LastPass's production backup storage.

The attacker exploited a known vulnerability in Plex Media Server - software the engineer ran at home to stream personal media. The CVE for the vulnerability had been public for over two years. A patch was available. The engineer simply hadn't applied it.

This is not an unusual story. It's an unusually well-documented version of a story that happens constantly.

Why Your RMM Wouldn't Have Caught This

Modern RMMs - ConnectWise Automate, Datto RMM, NinjaRMM, and others - are excellent at what they were designed for: managing and patching the Windows operating system and a curated list of common enterprise applications. Microsoft Office. Adobe Reader. Google Chrome. Firefox. The 50-100 applications that appear most frequently in corporate environments.

Plex Media Server is not on that list. It's not a corporate application. Neither is VLC, HandBrake, OBS Studio, Steam, or hundreds of other applications that are routinely installed on managed devices - particularly the personal and hybrid-use devices that are now standard in hybrid workforces.

The patching gap is larger than most organizations realize. A typical managed Windows device might have 80-120 installed applications. Your RMM patches 30-40 of them. The remaining 40-90 applications - including whatever the user installed themselves - are left unpatched indefinitely unless the user manually updates them.

This isn't a criticism of RMM vendors. Their platforms were built for the corporate IT management use case. But the threat landscape has moved: attackers have discovered that attacking hybrid-use devices through non-enterprise applications is an efficient path into corporate environments, precisely because the patching gap is so consistent and so predictable.

The 2,000-App Difference

Lavawall® was built with this gap explicitly in mind. The platform patches 7,533+ applications across Windows, macOS, and Linux - including the industry-specific, niche, and consumer applications that RMMs leave unpatched.

This includes applications common in specific verticals: the legacy practice management software your medical clinic runs, the accounting platform your CPA firm uses, the media software that engineers and developers install on their work machines. Lavawall® doesn't just patch the 50 applications your RMM vendor decided were worth supporting - it patches the actual application footprint of your actual devices.

The practical impact of this is significant. When Lavawall® is deployed alongside an existing RMM, it consistently identifies unpatched applications the RMM was never monitoring. In environments where CIS Controls compliance is required, unpatched third-party applications are a direct gap against CIS Control 7 (Continuous Vulnerability Management).

The Hybrid Workforce Complication

The LastPass breach happened on a home device, but the same attack vector exists on fully managed corporate devices - because employees install software on managed machines all the time. Game launchers. Personal productivity tools. Utilities they found online. Applications specific to side projects or personal interests.

Corporate IT policy may prohibit unauthorized software, but policy and enforcement are different things. Lavawall® doesn't just patch authorized applications - it inventories everything installed on monitored devices and flags applications that fall outside approved software lists. This serves two purposes: it closes the patching gap, and it surfaces shadow IT that security teams often don't know exists.

What Monitoring Alone Doesn't Solve

It's worth noting that many security tools would have detected the LastPass breach after the initial compromise - unusual network traffic, privilege escalation attempts, abnormal data access patterns. Detection is important. But the LastPass attacker had months of access before detection, and the damage done during that window was irreversible.

Closing the patching gap doesn't eliminate all risk. But it does eliminate a reliable and consistently exploited class of risk that attackers are actively targeting. The Plex vulnerability used in the LastPass breach was a known CVE with a public patch. There was no zero-day exploitation required - just an unpatched application and patience.

What You Should Ask Your Current MSP or RMM Vendor

The next time your IT provider does a quarterly review, ask them to generate a report of every installed application on every managed device - and then identify which ones are being actively patched. The gap between those two lists is your unmanaged patching exposure.

If they can't produce that report, that's an answer in itself.