CVE-2025-54336

CRITICAL

Plesk Obsidian 18.0.70 - Info Disclosure

Title source: llm

Description

In Plesk Obsidian 18.0.70, _isAdminPasswordValid uses an == comparison. Thus, if the correct password is "0e" followed by any digit string, then an attacker can login with any other string that evaluates to 0.0 (such as the 0e0 string). This occurs in admin/plib/LoginManager.php.

References (3)

Core 3

Core References

Various Sources

https://blog.aziz.tn/2025/08/cve-2025-54336.html/

Various Sources

https://support.plesk.com/hc/en-us/articles/33785727869847-Vulnerability-CVE-2025-54336

Various Sources

https://www.plesk.com/blog/plesk-news-announcements/introducing-plesk-obsidian-18-0-70-anniversary-edition/

Scores

CVSS v3 9.8

EPSS 0.0047

EPSS Percentile 37.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-697

Status published

Published Aug 19, 2025

Tracked Since Feb 18, 2026