← back
CVE-2025-54336

CVE-2025-54336

CVSS 9.8 CRITICALEPSS 0.5%CWE-697
Vexday Risk Score
28Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 9.8EPSS 0.5%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
19 Aug 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
In Plesk Obsidian 18.0.70, _isAdminPasswordValid uses an == comparison. Thus, if the correct password is "0e" followed by any digit string, then an attacker can login with any other string that evaluates to 0.0 (such as the 0e0 string). This occurs in admin/plib/LoginManager.php.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://blog.aziz.tn/2025/08/cve-2025-54336.html/https://support.plesk.com/hc/en-us/articles/33785727869847-Vulnerability-CVE-2025-54336https://www.plesk.com/blog/plesk-news-announcements/introducing-plesk-obsidian-18-0-70-anniversary-edition/