CVE-2025-65518 Overview
CVE-2025-65518 is a Denial of Service (DoS) vulnerability affecting Plesk Obsidian versions 8.0.1 through 18.0.73. The vulnerability exists in the get_password.php endpoint, where a crafted request containing a malicious payload can cause the affected web interface to continuously reload, rendering the service unavailable to legitimate users. An attacker can exploit this issue remotely without authentication, resulting in a persistent availability impact on the affected Plesk Obsidian instance.
Critical Impact
Remote unauthenticated attackers can render Plesk Obsidian web interfaces completely unavailable by triggering a persistent reload condition through the get_password.php endpoint.
Affected Products
- Plesk Obsidian version 8.0.1
- Plesk Obsidian versions through 18.0.73
- All Plesk Obsidian versions within the 8.0.1 to 18.0.73 range
Discovery Timeline
- 2026-01-08 - CVE-2025-65518 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2025-65518
Vulnerability Analysis
This vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption), indicating that the get_password.php endpoint fails to properly limit the resources consumed when processing specially crafted requests. The vulnerable endpoint does not implement adequate input validation or rate limiting mechanisms, allowing attackers to send malicious payloads that trigger continuous reload behavior in the web interface.
The attack can be executed over the network without requiring any authentication credentials or user interaction. While the vulnerability does not impact data confidentiality or integrity, it results in complete availability loss of the affected Plesk Obsidian instance, preventing legitimate administrators from accessing the hosting control panel.
Root Cause
The root cause lies in improper resource consumption controls within the get_password.php endpoint. The endpoint appears to process malicious input in a manner that causes the web interface to enter an infinite reload loop. This indicates insufficient input validation and a lack of proper error handling that would normally terminate problematic requests before they impact system availability.
Attack Vector
The attack is network-based and requires no authentication, making it accessible to any remote attacker who can reach the Plesk Obsidian web interface. The attacker sends a specially crafted HTTP request to the get_password.php endpoint containing a malicious payload. Upon processing this request, the web interface begins continuously reloading, effectively denying service to all users attempting to access the Plesk control panel.
The vulnerability requires no user interaction and has low attack complexity, making it particularly dangerous for internet-facing Plesk Obsidian installations. Technical details of the exploitation mechanism can be found in the GitHub CVE-2025-65518 Documentation.
Detection Methods for CVE-2025-65518
Indicators of Compromise
- Unusual or repeated HTTP requests targeting the get_password.php endpoint
- Web interface becoming unresponsive or entering persistent reload states
- Increased error logs related to the get_password.php functionality
- Server resource consumption spikes associated with web interface processes
Detection Strategies
- Monitor HTTP access logs for suspicious activity targeting /get_password.php
- Implement web application firewall (WAF) rules to detect and block malformed requests to the vulnerable endpoint
- Configure intrusion detection systems (IDS) to alert on anomalous request patterns to Plesk administrative interfaces
- Deploy endpoint detection and response (EDR) solutions to identify abnormal web server behavior
Monitoring Recommendations
- Establish baseline metrics for normal Plesk web interface resource consumption
- Set up alerts for sudden availability degradation of Plesk management interfaces
- Monitor network traffic for unusual volume or patterns of requests to Plesk endpoints
- Implement synthetic monitoring to detect web interface availability issues in real-time
How to Mitigate CVE-2025-65518
Immediate Actions Required
- Restrict network access to the Plesk Obsidian web interface to trusted IP addresses only
- Implement rate limiting on the get_password.php endpoint at the web server or firewall level
- Deploy a web application firewall (WAF) with rules to filter malicious requests
- Monitor for official patches from Plesk and apply updates as soon as available
Patch Information
Organizations should monitor the Plesk Obsidian Change Log and Plesk Official Website for security updates addressing this vulnerability. Upgrade to a patched version of Plesk Obsidian when available to fully remediate this issue.
Workarounds
- Implement IP-based access control lists (ACLs) to limit access to the Plesk administrative interface
- Configure a reverse proxy or WAF to filter requests to get_password.php with additional validation
- Consider temporarily disabling or renaming the vulnerable endpoint if not critical to operations
- Enable web server rate limiting to prevent request flooding attacks
# Example: Block access to vulnerable endpoint using Apache mod_rewrite
# Add to Plesk Apache configuration or .htaccess
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^get_password\.php$ - [F,L]
</IfModule>
# Example: Rate limiting using iptables for Plesk default port
iptables -A INPUT -p tcp --dport 8443 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 8443 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
