AI description
CVE-2025-54336 is an authentication bypass vulnerability affecting Plesk Obsidian 18.0.70. The vulnerability lies in the `_isAdminPasswordValid` function within `admin/plib/LoginManager.php`, where an insecure comparison (`==`) is used. This weak comparison allows an attacker to log in as an administrator without the correct password if the actual administrator password begins with "0e" followed by only digits. An attacker can use any string that evaluates to 0.0, such as "0e0", to bypass authentication. This vulnerability can lead to full server compromise.
- Description
- In Plesk Obsidian 18.0.70, _isAdminPasswordValid uses an == comparison. Thus, if the correct password is "0e" followed by any digit string, then an attacker can login with any other string that evaluates to 0.0 (such as the 0e0 string). This occurs in admin/plib/LoginManager.php.
- Source
- cve@mitre.org
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- 134c704f-9b21-4f2e-91b3-4a467353bcc0
- CWE-697
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
46
🚨 Critical vulnerability found in Plesk Obsidian (CVE-2025-54336). Please see the @ncsc_gov_ie advisory for more info: https://t.co/RRwMLfg6xa
@ncsc_gov_ie
21 Aug 2025
172 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨Alert🚨 CVE-2025-54336 (CVSS 9.8): Critical Flaw in Plesk Obsidian Exposes Servers to Full Compromise 📊11.6M Services are found on the https://t.co/ysWb28BTvF yearly. 🔗Hunter Link:https://t.co/7sCDL2yMoj 👇Query HUNTER : https://t.co/q9rtuGfZuz="Plesk Obsidian" http
@HunterMapping
21 Aug 2025
4687 Impressions
28 Retweets
64 Likes
34 Bookmarks
0 Replies
0 Quotes
管理者パスワードが "0e" で始まり数字だけで構成されているときに認証を突破可能。CTF初級問題だ! / Vulnerability CVE-2025-54336 – Plesk https://t.co/iC8SIE3Uwa
@hasegawayosuke
21 Aug 2025
41183 Impressions
101 Retweets
450 Likes
203 Bookmarks
2 Replies
6 Quotes
⚠️⚠️ CVE-2025-54336(CVSS 9.8) Critical Flaw in Plesk Obsidian Exposes Servers to Full Compromise 🎯5.8M+Results are found on the https://t.co/pb16tGYaKe nearly year 🔗FOFA Link: https://t.co/kK4ecAEJ15 Query:app="plesk-Obsidian" 🔖Refer: https://t.co/mJiVJH03NP #O
@fofabot
20 Aug 2025
3635 Impressions
13 Retweets
50 Likes
25 Bookmarks
1 Reply
0 Quotes
A critical vulnerability (CVE-2025-54336) in Plesk Obsidian could allow attackers to bypass the admin password and take complete control of affected servers. https://t.co/ko664oUIwS
@the_yellow_fall
20 Aug 2025
455 Impressions
3 Retweets
4 Likes
1 Bookmark
1 Reply
0 Quotes