CVE-2025-49618
📋 TL;DR
This vulnerability in Plesk Obsidian allows unauthenticated attackers to access AWS credentials via a specific endpoint. It affects Plesk Obsidian 18.0.69 installations that use AWS integration. Attackers can obtain AWS access keys, potentially leading to unauthorized cloud resource access.
💻 Affected Systems
- Plesk Obsidian
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain AWS credentials and gain full control over associated AWS resources, leading to data theft, resource hijacking, or service disruption.
Likely Case
Attackers harvest AWS credentials and use them for unauthorized API calls, potentially incurring costs or accessing sensitive cloud data.
If Mitigated
With proper AWS IAM policies and monitoring, impact is limited to credential exposure without significant resource compromise.
🎯 Exploit Status
Simple HTTP GET request to /login_up.php reveals credentials. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 18.0.70 or later
Vendor Advisory: https://www.plesk.com/blog/plesk-news-announcements/plesk-obsidian-18-0-69-is-here/
Restart Required: No
Instructions:
1. Log into Plesk admin panel. 2. Navigate to Tools & Settings > Updates and Upgrades. 3. Click 'Check for Updates'. 4. Install available updates to version 18.0.70 or higher.
🔧 Temporary Workarounds
Block vulnerable endpoint
allTemporarily block access to /login_up.php via web server configuration
# For Apache: add to .htaccess or virtual host config
RewriteEngine On
RewriteRule ^login_up\.php$ - [F,L]
# For Nginx: add to server block
location = /login_up.php { deny all; }
Rotate AWS credentials
allImmediately rotate all AWS access keys used by Plesk
# 1. Log into AWS Console
# 2. Navigate to IAM > Users
# 3. Find Plesk user
# 4. Create new access key
# 5. Update Plesk with new credentials
# 6. Delete old access key
🧯 If You Can't Patch
- Implement network-level access controls to restrict access to Plesk admin interface
- Enable AWS CloudTrail logging and set up alerts for unauthorized API calls
🔍 How to Verify
Check if Vulnerable:
Send HTTP GET request to https://[plesk-server]/login_up.php and check if AWS credentials are returned in responseCheck Version:
plesk versionVerify Fix Applied:
After update, same request should return error or no credentials. Check Plesk version is 18.0.70+📡 Detection & Monitoring
Log Indicators:
- Multiple unauthenticated requests to /login_up.php
- Unusual AWS API calls from Plesk credentials
Network Indicators:
- HTTP GET requests to /login_up.php from external IPs
- Outbound connections to AWS services from unexpected locations
SIEM Query:
source="plesk_access.log" AND uri="/login_up.php" AND status=200