CVE-2025-54336

CRITICAL

Plesk Obsidian 18.0.70 - Info Disclosure

Title source: llm

Description

In Plesk Obsidian 18.0.70, _isAdminPasswordValid uses an == comparison. Thus, if the correct password is "0e" followed by any digit string, then an attacker can login with any other string that evaluates to 0.0 (such as the 0e0 string). This occurs in admin/plib/LoginManager.php.

References (3)

[Various Sources] https://blog.aziz.tn/2025/08/cve-2025-54336.html/

[Various Sources] https://support.plesk.com/hc/en-us/articles/33785727869847-Vulnerability-CVE-2025-54336

[Various Sources] https://www.plesk.com/blog/plesk-news-announcements/introducing-plesk-obsidian-18-0-70-anniversary-edition/

Scores

CVSS v3 9.8

EPSS 0.0007

EPSS Percentile 20.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-697

Status published

Published Aug 19, 2025

Tracked Since Feb 18, 2026