Authentication Bypass in Plesk Obsidian by Plesk

CVE-2025-54336

What is CVE-2025-54336?

CVE-2025-54336 is a notable vulnerability found in Plesk Obsidian version 18.0.70, a popular web hosting control panel used by many server administrators for managing websites, applications, and databases. This vulnerability arises from a flaw in the method used to validate administrator passwords, specifically in the isAdminPasswordValid function, which employs an == comparison. This poor implementation could allow an attacker to bypass authentication mechanisms by leveraging a specific password structure. If the legitimate password starts with "0e" followed by any numerical string, an unauthorized user can gain access by using alternate input that evaluates to zero, potentially leading to unauthorized administrative access to the system. Such a breach could severely compromise the integrity and security of hosted applications and data.

Potential impact of CVE-2025-54336

1. Unauthorized Access: The primary impact of this vulnerability is that it allows attackers to log in as an administrator without knowing the actual password, enabling them to make unauthorized changes to the server configurations, data management, and more.

2. Data Integrity Compromise: With administrative access, attackers can manipulate website data, potentially leading to data breaches or loss of sensitive information, which could have serious implications for businesses that depend on this data.

3. Increased Risk of Future Exploitation: The existence of this vulnerability can expose the affected systems to additional attacks, including the deployment of malware, as administrators may be unaware of unauthorized access and the changes being made to the system settings.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References