- Plesk for Linux
There is a publicly available exploit:
Plesk for Linux uses PHP-FPM in the following places:
"PHP X.Y" components.
Plesk domains with PHP version 7.3 (≤7.3.10), 7.2 (≤7.2.23), 7.1 (≤7.1.32), 7.0, 5.6, 5.5, 5.4, or 5.3, and PHP handler "FPM application server by nginx" or "FPM application served by Apache" are potentially vulnerable. A successful exploitation allows a remote attacker to execute arbitrary code on behalf of the Plesk subscription's system user.
The publicly available exploit does not work in Plesk environment out of the box. But we believe that with some effort it may be modified to work in Plesk environment too. Such exploit would affect only domains with PHP version 7.3, 7.2, 7.1, or 7.0, and PHP handler "FPM application server by nginx". We are not aware of exploits affecting other configurations.
sw-engine package (a part of "Plesk" component).
We believe that the configuration of sw-engine does not allow to exploit the vulnerability.
Call to action
If you use an outdated PHP version (7.0, 5.6, 5.5, 5.4, 5.3), then stop doing it. Ensure that your PHP applications support one of maintained PHP version (7.3, 7.2, 7.1) and switch domains to this PHP version in Plesk. Then switch off outdated PHP handlers server-wide (see Configuring PHP Handlers).
Update Plesk if you haven't already done so. This will update "PHP 7.3", "PHP 7.2", "PHP 7.1" components to non-vulnerable versions. See Change Log for Plesk Obsidian / Change Log for Plesk Onyx for details.
Also, please, let us know if you are aware of exploits for this vulnerability working in Plesk environment.