Articles in this section

[CVE-2025-66431] Security vulnerability in domain creation mechanism allows Plesk users to execute arbitrary code on behalf of root

Vitalii Zhidkov
Updated
Plesk for Linux kb: security

Applicable to:

  • Plesk for Linux

Situation

A security vulnerability in Plesk’s domain creation mechanism allowing arbitrary code execution on behalf of root has been discovered. This security vulnerability has been identified as CVE-2025-66431.

We would like to thank Philip Okhonko for identifying and responsibly reporting this vulnerability to us.

Impact

Local privilege escalation (LPE) is possible. A malicious Plesk user with Create and manage sites permission enabled and with access to subscription having Domains management and Subdomains management permissions enabled can execute code on behalf of root upon domain creation compromising Plesk server.

Call to action

A fix for this problem has been released. Please follow the appropriate steps for the Plesk version.

Plesk 18.0.73 and 18.0.74

A hotfix was released to these versions (18.0.73.5 and 18.0.74.2). Update Plesk to install it by following the steps from this guide: How to install Plesk updates

Plesk 18.0.72 and earlier Obsidian

We recommend upgrading Plesk to next release to receive the fix: How to upgrade Plesk to the next release

Plesk Onyx

Plesk Onyx installations should be upgraded to the latest Obsidian version, either in-place or through migration depending on what's supported. This guide has the necessary information: Upgrade Guide to Plesk Obsidian

Workaround

If upgrading is not possible at the moment, apply the workaround below.

Warning: Applying workaround may impact domain creation mechanism and break other functionality. We strongly recommend to consider upgrading Plesk at earliest.

# cp /usr/local/psa/admin/sbin/relink-vhost-logs /usr/local/psa/admin/sbin/relink-vhost-logs_orig
# echo -e '#!/bin/bash\n:' > /usr/local/psa/admin/sbin/relink-vhost-logs && chmod 755 /usr/local/psa/admin/sbin/relink-vhost-logs

Was this article helpful?

Comments

2 comments
Date Votes
  • Avatar
    moana moana

    When a qualified user creates a domain or subdomain, Plesk triggers root-level backend utilities to configure vhosts, directory structures, and log locations. Because of improper symlink handling (associated with the backend utility relink-vhost-logs), a malicious user can plant a symlink inside their subscription directory pointing to critical system files.

    0
  • Avatar
    keri lee

    Hello,

    A critical Local Privilege Escalation (LPE) flaw has been identified in the domain creation mechanism of Plesk for Linux. The vulnerability, tracked as CVE-2025-66431, allows an authenticated, low-privileged Plesk user to execute arbitrary commands with root-level system privileges upon creating a new domain.





















































































     

    0

Please sign in to leave a comment.