PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-65518 Plesk CVE debrief

CVE-2025-65518 is a high-severity Denial of Service (DoS) vulnerability affecting Plesk Obsidian versions 8.0.1 through 18.0.73. The vulnerability exists in the get_password.php endpoint, where a crafted request containing a malicious payload can cause the affected web interface to continuously reload, rendering the service unavailable to legitimate users. An attacker can exploit this issue remotely without authentication, resulting in a persistent availability impact on the affected Plesk Obsidian instance. The vulnerability has a CVSS score of 7.5 and is classified as HIGH severity. Plesk Obsidian is a popular web management platform used for managing servers, websites, and applications. The vulnerability was published on January 8, 2026, and last modified on June 30, 2026.

Vendor
Plesk
Product
Obsidian
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-01-08
Original CVE updated
2026-06-30
Advisory published
2026-01-08
Advisory updated
2026-06-30

Who should care

Administrators and users of Plesk Obsidian versions 8.0.1 through 18.0.73 should be aware of this vulnerability and take immediate action to mitigate the risk. This vulnerability can be exploited remotely without authentication, making it a critical concern for organizations using the affected versions. Successful exploitation can result in a persistent Denial of Service condition, impacting the availability of the affected Plesk Obsidian instance.

Technical summary

The CVE-2025-65518 vulnerability is a Denial of Service (DoS) condition that affects Plesk Obsidian versions 8.0.1 through 18.0.73. The vulnerability exists in the get_password.php endpoint, where a crafted request containing a malicious payload can cause the affected web interface to continuously reload. This results in a persistent availability impact on the affected Plesk Obsidian instance. The vulnerability has a CVSS score of 7.5 and is classified as HIGH severity. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating that the vulnerability can be exploited remotely without authentication, and the impact is limited to availability.

Defensive priority

High priority should be given to mitigating this vulnerability, as it can be exploited remotely without authentication and has a high CVSS score. Administrators should review their Plesk Obsidian instances and apply any available patches or updates to prevent exploitation.

Recommended defensive actions

  • Review and apply patches or updates for Plesk Obsidian versions 8.0.1 through 18.0.73.
  • Implement network segmentation and isolation to limit the attack surface.
  • Monitor Plesk Obsidian instances for suspicious activity and implement logging and auditing.
  • Consider implementing a web application firewall (WAF) to detect and prevent malicious traffic.
  • Review and update incident response plans to include procedures for responding to Denial of Service attacks.

Evidence notes

The CVE-2025-65518 vulnerability was published on January 8, 2026, and last modified on June 30, 2026. The vulnerability affects Plesk Obsidian versions 8.0.1 through 18.0.73. The CVSS score is 7.5, and the severity is classified as HIGH. The vulnerability exists in the get_password.php endpoint and can be exploited remotely without authentication.

Official resources

This article is AI-assisted and based on the supplied source corpus.