Critical Plesk Flaw (CVE-2025-66430) Risks Full Server Takeover via LPE and Apache Config Injection

A critical security vulnerability has been discovered in Plesk, a leading web hosting and data center automation platform, potentially handing full server control to unauthorized users. Tracked as CVE-2025-66430, the flaw carries a CVSS score of 9.1, classifying it as a critical threat that demands immediate attention.

The vulnerability affects Plesk for Linux and allows for local privilege escalation (LPE), a dangerous scenario where a user with limited permissions can elevate their access to the highest level.

The issue resides within the platform’s Password-Protected Directories feature. While designed to secure sensitive folders, a flaw in its implementation allows users to inject arbitrary data directly into the server’s Apache configuration.

According to the advisory, “A security vulnerability in Plesk’s Password-Protected Directories feature allowing injection of any data into the Apache configuration has been discovered”. This oversight creates a pathway for exploitation. “Exploiting this vulnerability allows Plesk users to execute any commands as the root user”.

The impact is severe for any shared hosting environment. “Any Plesk user with access to the Password-Protected Directories feature could gain root-level access on the server,” effectively compromising the entire system and all other sites hosted on it.

Plesk has released emergency micro-updates to address the issue. Administrators are urged to update their installations immediately.

Plesk 18.0.73 and 18.0.74: A micro-update was released for these versions (18.0.73.5 and 18.0.74.2).
Plesk 18.0.70 – 18.0.72: Administrators should follow the specific upgrade path provided in the advisory.
Plesk Onyx: Updates are also available for older Onyx versions.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply