CVE-2025-54336 Overview
A critical authentication bypass vulnerability exists in Plesk Obsidian 18.0.70 due to improper comparison logic in the _isAdminPasswordValid function. The vulnerability stems from the use of a loose equality comparison (==) in PHP, which allows attackers to bypass authentication when the administrator password begins with "0e" followed by digits. This type juggling weakness enables unauthorized access to the Plesk administrative panel.
Critical Impact
Attackers can gain full administrative access to Plesk servers by exploiting PHP's loose comparison behavior, potentially compromising all hosted websites and services on affected systems.
Affected Products
- Plesk Obsidian 18.0.70
Discovery Timeline
- 2025-08-19 - CVE-2025-54336 published to NVD
- 2025-08-26 - Last updated in NVD database
Technical Details for CVE-2025-54336
Vulnerability Analysis
This vulnerability is classified under CWE-697 (Incorrect Comparison), a weakness category that addresses flaws in comparison operations. The vulnerable code resides in admin/plib/LoginManager.php where the _isAdminPasswordValid function performs password validation using PHP's loose equality operator (==).
PHP's type juggling behavior treats strings that match the scientific notation pattern (e.g., "0e12345") as floating-point numbers when compared loosely. If an administrator's password happens to be in the format "0e" followed by numeric digits (like "0e123456"), PHP interprets this as 0 × 10^123456 = 0. An attacker can then authenticate using any other string that also evaluates to zero, such as "0e0", "0e1", or similar patterns.
This attack requires no user interaction and can be performed remotely over the network without any prior authentication, making it particularly dangerous for internet-facing Plesk installations.
Root Cause
The root cause is the use of PHP's loose equality operator (==) instead of the strict equality operator (===) in the password validation function. When comparing strings with the loose operator, PHP attempts to convert both operands to matching types. Strings matching the pattern /^0e[0-9]+$/ are interpreted as scientific notation representing zero, causing false positive matches during authentication.
Attack Vector
The attack can be executed remotely over the network against the Plesk administrative login interface. An attacker targets the authentication mechanism by submitting login requests with password values that evaluate to zero in PHP's type system. If the legitimate administrator password matches the vulnerable "0e" pattern, the attacker gains immediate administrative access.
The attack flow involves:
- Attacker identifies a Plesk Obsidian 18.0.70 installation
- Attacker attempts login with username "admin" and password "0e0"
- If the real admin password is "0e" followed by digits, PHP's loose comparison evaluates both as 0.0
- Authentication succeeds, granting full administrative control
Detection Methods for CVE-2025-54336
Indicators of Compromise
- Multiple failed login attempts followed by successful authentication from unusual IP addresses
- Login events with passwords containing "0e" patterns in web application logs
- Unexpected administrative sessions or configuration changes on Plesk servers
- Unauthorized creation of new administrator accounts or FTP users
Detection Strategies
- Monitor Plesk authentication logs for login attempts using common type juggling payloads (0e0, 0e1, 0e000)
- Implement web application firewall rules to detect and flag suspicious authentication patterns
- Deploy SIEM correlation rules to identify authentication anomalies across multiple Plesk instances
- Enable detailed access logging for the /admin/ endpoint and review for suspicious activity
Monitoring Recommendations
- Configure alerting for successful admin logins from previously unseen IP addresses or geographic locations
- Monitor for changes to critical Plesk configuration files, especially in /admin/plib/
- Implement file integrity monitoring on the Plesk installation directory
- Review administrative action logs regularly for unauthorized modifications
How to Mitigate CVE-2025-54336
Immediate Actions Required
- Change administrator passwords immediately to values that do not match the "0e[0-9]+" pattern
- Restrict administrative panel access to trusted IP addresses using firewall rules
- Enable two-factor authentication if available to add an additional layer of protection
- Review audit logs for signs of unauthorized access or suspicious login activity
Patch Information
Plesk has acknowledged this vulnerability and published guidance. System administrators should consult the Plesk Support Advisory for official patch information and update instructions. Apply the latest security updates as soon as they become available from Plesk.
Workarounds
- Implement IP-based access restrictions to limit administrative panel access to known management networks
- Use a reverse proxy with additional authentication layers in front of the Plesk admin interface
- Ensure administrator passwords contain non-numeric characters to avoid the "0e" pattern vulnerability
- Consider temporarily disabling web-based admin access and using CLI management until patched
# Configuration example - Restrict admin panel access via iptables
# Allow admin access only from trusted management IP
iptables -A INPUT -p tcp --dport 8443 -s 192.168.1.100 -j ACCEPT
iptables -A INPUT -p tcp --dport 8443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
