CVE-2025-54336 (CVSS 9.8): Critical Flaw in Plesk Obsidian Exposes Servers to Full Compromise

A newly disclosed security vulnerability in Plesk Obsidian, a widely used web hosting control panel, has been assigned CVE-2025-54336 with a CVSS severity score of 9.8. The flaw, which affects authentication logic, could allow attackers to bypass admin login and take complete control of servers under specific conditions.

According to the advisory, “in Plesk Obsidian 18.0.70, _isAdminPasswordValid uses an == comparison. Thus, if the correct password is ‘0e’ followed by any digit string, then an attacker can login with any other string that evaluates to 0.0 (such as the 0e0 string). This occurs in admin/plib/LoginManager.php.”

The problem arises from Plesk’s use of loose comparison operators during password checks. This means that certain numeric-like strings (e.g., 0e0) may incorrectly validate against real passwords that begin with “0e” followed by digits.

As the advisory explains, “an unauthenticated attacker can log in to Plesk as the admin and fully compromise the server if the admin’s password is set to 0e followed by digits only.”

Although the likelihood of an administrator deliberately using such a password is low, the flaw also opens the door for timing attacks and type confusion attacks to brute-force passwords more efficiently.

If exploited, this vulnerability could allow an attacker to:

• Gain unauthorized administrative access to Plesk.
• Compromise websites, web applications, and databases hosted on the server.
• Deploy malware, deface websites, or exfiltrate sensitive customer and business data.

The severity stems from the fact that no prior authentication is required to attempt exploitation.

Plesk has released patches addressing the vulnerability in the following versions:

Plesk Obsidian 18.0.71 Update 2

Plesk Obsidian 18.0.70 Update 4

The advisory urges administrators to update immediately. For those unable to patch right away, a critical mitigation step is to change the admin password to a more secure format that avoids numeric-only “0e”-prefixed strings.

Related Posts:

• Acronis Backup Plugins Hit by CVE-2024-8767: CVSS 9.9 Severity Alert
• ASUS Urges Firmware Update Amidst Severe Router Vulnerabilities
• Latrodectus Malware Evolves: New Payload Features Enhance Evasion and Control
• PoC Exploit Releases for Critical Flaw in Synology TC500 and BC500 Camera to Get Shell