CVE-2025-54336 Information

Description

In Plesk Obsidian 18.0.70 _isAdminPasswordValid uses an == comparison. Thus if the correct password is �e\ followed by any digit string then an attacker can login with any other string that evaluates to 0.0 (such as the 0e0 string). This occurs in admin/plib/LoginManager.php.

Reference

https://support.plesk.com/hc/en-us/articles/33785727869847-Vulnerability-CVE-2025-54336 https://www.plesk.com/blog/plesk-news-announcements/introducing-plesk-obsidian-18-0-70-anniversary-edition/

Related CNNVD

CNNVD-202508-2098 (Published: 2025-08-19)