CVE-2025-66430

Name of the Vulnerable Software and Affected Versions Plesk versions 18.0 through 18.0.74

Description Plesk 18.0 contains an incorrect access control issue within the Password-Protected Directories component. An authenticated attacker with limited privileges can inject arbitrary directives into Apache web server configuration files. This allows for the execution of arbitrary commands with root privileges. Approximately 4.3 million instances are potentially exposed. A successful exploit could lead to full server compromise, including access to all websites, databases, and email accounts hosted on the server. The issue stems from improper input validation and access control within the Password-Protected Directories feature. Attackers can exploit this by manipulating settings within the Plesk interface, specifically in the configuration fields for directory names or authorization headers, to inject malicious payloads into the Apache configuration. This results in the execution of attacker-controlled code with root privileges upon Apache reconfiguration.

Recommendations Plesk versions 18.0 through 18.0.74 should be updated to versions 18.0.70 through 18.0.74. Restrict access to the Password-Protected Directories feature to authorized personnel only. Implement SIEM monitoring rules to detect root command execution attempts originating from restricted Plesk accounts. As a temporary workaround, consider disabling the Password-Protected Directories feature through Service Plans settings.