CVE-2025-66431
📋 TL;DR
This vulnerability allows authenticated Plesk users with domain management permissions to execute arbitrary code with root privileges during domain creation. It affects WebPros Plesk installations on Linux where users have 'Create and manage sites' with 'Domains management' and 'Subdomains management' permissions.
💻 Affected Systems
- WebPros Plesk
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An authenticated malicious user gains full root access to the server, allowing complete system compromise, data theft, and lateral movement.
Likely Case
Privileged Plesk users exploit the vulnerability to escalate privileges to root and execute arbitrary commands on the server.
If Mitigated
With proper access controls limiting domain management permissions, the attack surface is reduced to only trusted administrators.
🎯 Exploit Status
Exploitation requires authenticated access with specific permissions, but the vulnerability itself appears straightforward based on the description.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 18.0.73.5 or 18.0.74.2
Restart Required: Yes
Instructions:
1. Backup your Plesk configuration and data. 2. Update Plesk to version 18.0.73.5 or 18.0.74.2 via the Plesk updater or command line. 3. Restart Plesk services after update.
🔧 Temporary Workarounds
Restrict Domain Management Permissions
linuxTemporarily remove 'Domains management' and 'Subdomains management' permissions from non-administrative users until patching is complete.
🧯 If You Can't Patch
- Immediately audit and restrict domain management permissions to only essential administrative users
- Implement network segmentation to isolate Plesk servers and monitor for suspicious domain creation activities
🔍 How to Verify
Check if Vulnerable:
Check Plesk version via command line: plesk version. If version is earlier than 18.0.73.5 or between 18.0.74 and 18.0.74.2, the system is vulnerable.Check Version:
plesk versionVerify Fix Applied:
After update, verify version is 18.0.73.5 or 18.0.74.2 or later using plesk version command.📡 Detection & Monitoring
Log Indicators:
- Unusual domain creation patterns by non-administrative users
- Suspicious command execution in Plesk logs during domain operations
Network Indicators:
- Unexpected outbound connections from Plesk server following domain creation
SIEM Query:
source="plesk" AND (event="domain_create" OR event="subdomain_create") AND user!="admin"🔗 References
- https://docs.plesk.com/release-notes/obsidian/change-log/#plesk-18074
- https://docs.plesk.com/release-notes/obsidian/whats-new/
- https://support.plesk.com/hc/en-us/articles/36494997377687--CVE-2025-66431-Security-vulnerability-in-domain-creation-mechanism-allows-Plesk-users-to-execute-arbitrary-code-on-behalf-of-root
