CVE-2025-54336

CRITICAL

9.8

Descricao

In Plesk Obsidian 18.0.70, _isAdminPasswordValid uses an == comparison. Thus, if the correct password is "0e" followed by any digit string, then an attacker can login with any other string that evaluates to 0.0 (such as the 0e0 string). This occurs in admin/plib/LoginManager.php.

Detalhes CVE

Pontuacao CVSS v3.19.8

SeveridadeCRITICAL

Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vetor de ataqueNETWORK

ComplexidadeLOW

Privilegios necessariosNONE

Interacao do usuarioNONE

Publicado8/19/2025

Ultima modificacao8/26/2025

Fontenvd

Avistamentos honeypot0

Fraquezas (CWE)

CWE-697

Referencias

https://blog.aziz.tn/2025/08/cve-2025-54336.html/(cve@mitre.org)

https://support.plesk.com/hc/en-us/articles/33785727869847-Vulnerability-CVE-2025-54336(cve@mitre.org)

https://www.plesk.com/blog/plesk-news-announcements/introducing-plesk-obsidian-18-0-70-anniversary-edition/(cve@mitre.org)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.