A critical authentication bypass vulnerability exists in Plesk Obsidian, identified as CVE-2025-54336. This flaw stems from an insecure password comparison method, allowing an attacker to gain full administrative access to the Plesk control panel under specific circumstances without knowing the correct password. Successful exploitation would result in a complete compromise of the hosting server and all managed websites.

The vulnerability is a result of a "type juggling" or "loose comparison" flaw within the _isAdminPasswordValid function. The function uses the == operator in PHP to compare the user-provided password with the stored password hash. If the stored password happens to be a string that PHP interprets as a number in scientific notation (e.g., a string starting with "0e" followed by only digits), it is evaluated as the number zero. An attacker can exploit this by submitting a password that also evaluates to zero (such as "0", "0.0", or another "0e..." string), causing the insecure comparison to return true and granting them administrative access.

This vulnerability is rated as critical severity with a CVSS score of 9.8. A successful exploit grants an attacker complete administrative control over the Plesk server, leading to severe business consequences. These risks include the theft, modification, or destruction of all data on the server, including websites, databases, and customer information. An attacker could deface websites, install malware or ransomware, use the server for malicious activities like sending spam or launching DDoS attacks, and cause significant reputational damage, customer distrust, and potential financial and legal liabilities.

Immediate Action: Update In Plesk Obsidian Multiple Products to the latest version. This is the most effective method to permanently fix the vulnerability. After patching, administrators should immediately monitor for any exploitation attempts and review historical access logs for any suspicious or unauthorized administrative logins.

Proactive Monitoring: Security teams should actively monitor authentication logs for an unusual volume of failed login attempts followed by a success from a single IP address. Specifically, look for successful administrative logins where the source IP is unexpected or the user agent is anomalous. System integrity monitoring should be in place to detect unauthorized file changes or suspicious running processes.

Compensating Controls: If patching cannot be performed immediately, implement the following controls to reduce risk:

• Enforce Multi-Factor Authentication (MFA) for all administrative accounts.
• Restrict access to the Plesk administrative interface to a limited set of trusted IP addresses using firewall rules.
• Deploy a Web Application Firewall (WAF) with rules designed to block common authentication bypass patterns.

Public Exploit Available: False (as of the date of this report), but the vulnerability type is well-understood and an exploit could be easily developed.

Given the critical CVSS score of 9.8 and the potential for a complete system compromise via a simple authentication bypass, immediate action is required. We strongly recommend that all organizations using affected versions of Plesk Obsidian apply the vendor-provided security updates as the highest priority. In parallel, implement MFA and IP-based access restrictions for the administrative panel to provide layered defense against this and future threats.