CVE-2025-54336

Name of the Vulnerable Software and Affected Versions: Plesk Obsidian version 18.0.70

Description: The isAdminPasswordValid function in Plesk Obsidian uses a weak comparison (==) which allows an attacker to bypass the administrator password if the correct password is in the format "0e" followed by any digit string. An attacker can then log in using any string that evaluates to 0.0, such as "0e0". This issue is located in the admin/plib/LoginManager.php file. Approximately 11.6 million services are estimated to be affected worldwide.

Recommendations: Plesk Obsidian version 18.0.70: Update to a newer version that addresses this authentication bypass issue. As a temporary workaround, consider restricting access to the admin/plib/LoginManager.php file until a patch is available.