Articles in this section

What does Imunify notifications do in Plesk?
PHP settings do not apply on a domain when CageFS is enabled in CloudLinux
[CVE-2025-66431] Security vulnerability in domain creation mechanism allows Plesk users to execute arbitrary code on behalf of root
Generating CSR certificate under AlmaLinux 9 and AlmaLinux 10 does not save the Country, City and other fields from SSL certificate settings section
Plesk update fails: bind9 package is half-configured
Wrong $_SERVER['HTTP_HOST'] and $_SERVER['SERVER_NAME'] using Default Site in IP Addresses
Plesk / system update fails after dist-upgrade from Debian 11 to Debian 12: Depends: libodbc2 (>= 2.3.1) but it is not going to be installed
Accessing Apache & nginx settings in Plesk 18.0.72.0 returns error 500: Return value must be of type bool, null returned
Vulnerability CVE-2025-54336
Unable to open mail server configuration for a domain in Plesk UI: The label can only be a string
See more

Vulnerability CVE-2025-54336

Julian Bonpland Mignaquy

Updated August 01, 2025 14:41

Situation

A vulnerability identified as CVE-2025-54336 (SEC-69430) affects how Plesk compares the admin password during authentication.

Impact

An unauthenticated attacker can log in to Plesk as the admin and fully compromise the server if the admin’s password is set to 0e followed by digits only, e.g., 0e648637705914326006017218 (very unlikely situation)
An unauthenticated attacker can brute-force the admin’s password more effectively with timing attacks and/or type confusion attacks.

Call to action

The issue is resolved in the following Plesk versions:

Plesk Obsidian 18.0.71 Update 2
Plesk Obsidian 18.0.70 Update 4

Update to one of the versions above to apply the fix.

If updating is not an option change the password as described here Changing Your Password

Comments

1 comment

William Hopper
November 29, 2025 07:49

Thanks for info

0

Please sign in to leave a comment.