A critical vulnerability, identified as CVE-2025-66430, has been discovered in multiple Plesk products, rated with a CVSS score of 9.1. This flaw stems from an Incorrect Access Control issue, which could allow an unauthenticated remote attacker to bypass security measures and gain administrative-level control over the hosting platform. Successful exploitation could lead to complete system compromise, data breaches, and service disruption for all hosted websites.

The vulnerability is an Incorrect Access Control flaw within the Plesk web management interface. A remote attacker can exploit this by sending a specially crafted HTTP request to a specific API endpoint that fails to properly validate the user's permissions. This allows an unauthenticated or low-privileged user to access and execute functions that should be restricted to high-privileged administrators, potentially leading to arbitrary command execution on the underlying server.

This vulnerability is rated as critical severity with a CVSS score of 9.1. Exploitation could have a severe and direct impact on business operations. An attacker could gain complete control of the Plesk server, leading to a full-scale data breach of all hosted customer websites, databases, and sensitive information. Potential consequences include unauthorized modification or deletion of data, website defacement, service outages, and the use of the compromised server to launch further attacks. This poses a significant risk of reputational damage, loss of customer trust, and potential financial liabilities from regulatory fines and incident response costs.

Immediate Action: The primary remediation is to immediately apply the security updates provided by the vendor. Administrators must update all affected Plesk instances to the latest patched version. Refer to the official Plesk security advisory for specific patch details and installation instructions. After patching, it is crucial to review access logs and audit logs for any signs of compromise that may have occurred before the update was applied.

Proactive Monitoring: Implement enhanced monitoring to detect potential exploitation attempts.

• Log Analysis: Scrutinize Plesk access logs, web server logs (e.g., Apache, Nginx), and system audit logs for unusual or unauthorized requests to administrative endpoints, especially from unknown IP addresses.
• Network Traffic: Monitor for anomalous network traffic patterns, such as unexpected outbound connections from the Plesk server, which could indicate a post-compromise C2 channel.
• File Integrity: Utilize File Integrity Monitoring (FIM) tools to detect unauthorized changes to web application files, system binaries, or configuration files.

Compensating Controls: If immediate patching is not feasible, apply these temporary risk mitigation measures:

• Access Restriction: Use a firewall to restrict access to the Plesk administrative interface (typically on TCP port 8443) to a limited set of trusted IP addresses.
• Web Application Firewall (WAF): Deploy a WAF with virtual patching rules designed to detect and block malicious requests attempting to exploit this specific vulnerability.
• Increased Auditing: Enable and review detailed logging for all administrative actions within Plesk to facilitate early detection of unauthorized activity.

Public Exploit Available: False

Given the critical CVSS score of 9.1, this vulnerability presents a clear and present danger to affected organizations. The risk of complete system compromise by a remote, unauthenticated attacker necessitates immediate action. We strongly recommend that all organizations using affected Plesk products treat the application of the vendor-supplied patch as their highest security priority. Although this CVE is not currently on the CISA KEV list, its severity makes it a prime candidate for future inclusion. Patch immediately and hunt for evidence of compromise.