Applicable to:
- Plesk for Linux
Situation
A security vulnerability in Plesk’s Password-Protected Directories feature allowing injection of any data into the Apache configuration has been discovered. Exploiting this vulnerability allows Plesk users to execute any commands as the root user. This security vulnerability has been identified as CVE-2025-66430.
We would like to thank Philip Okhonko for identifying and responsibly reporting this vulnerability to us.
Impact
Local privilege escalation (LPE) is possible. Any Plesk user with access to the Password-Protected Directories feature could gain root-level access on the server.
Call to action
A fix for this problem has been released. Please follow the appropriate steps for the Plesk version.
A micro-update was released to these versions (18.0.73.5 and 18.0.74.2). Update Plesk to install it by following the steps from this guide: How to install Plesk updates
These versions need to be manually patched. We recommend upgrading Plesk to next release to receive the automatic one: How to upgrade Plesk to the next release
If upgrading is not possible, the patch can be installed manually instead by following these steps:
- Log in to the server over SSH
-
Run this command to download and apply the patch:
# wget -O /tmp/ProtectedDirectories.php "https://support.plesk.com/hc/en-us/article_attachments/36475075993879" && cp /usr/local/psa/admin/plib/Template/Variable/Domain/ProtectedDirectories.php{,.bak} && mv -f /tmp/ProtectedDirectories.php /usr/local/psa/admin/plib/Template/Variable/Domain/ProtectedDirectories.php
Plesk Onyx installations should be upgraded to the latest Obsidian version, either in-place or through migration depending on what's supported. This guide has the necessary information: Upgrade Guide to Plesk Obsidian
Comments
Please sign in to leave a comment.