CVE-2022-45130 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Plesk Obsidian, a widely used web hosting control panel. The vulnerability specifically targets the /api/v2/cli/commands REST API endpoint, which can be exploited to change the administrator password without proper authorization. Plesk Obsidian is a version naming convention used for Plesk products after version 12, replacing numeric version identifiers. The vulnerability arises because the API endpoint does not implement adequate CSRF protections, allowing an attacker to craft malicious requests that, when executed by an authenticated user’s browser, can alter critical administrative credentials. The CVSS 3.1 base score is 6.5 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The impact is primarily on integrity, as the attacker can change the admin password, potentially leading to full control over the Plesk server. Confidentiality and availability impacts are not directly indicated. No known exploits in the wild have been reported, and no official patches or vendor-specific details are provided in the source information. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery). Given the nature of Plesk as a control panel managing web hosting environments, exploitation could lead to unauthorized administrative access, enabling further malicious activities such as website defacement, data theft, or deployment of malware.

For European organizations, this vulnerability poses a significant risk, especially for those relying on Plesk Obsidian for web hosting management. Successful exploitation can lead to unauthorized administrative access, compromising the integrity of hosted websites and services. This can result in defacement, data breaches, or use of compromised servers as launchpads for further attacks. Organizations in sectors with strict data protection regulations (e.g., GDPR) could face legal and reputational consequences if customer data is exposed or services disrupted. The ease of exploitation (no privileges required, low complexity) combined with the critical role of admin credentials magnifies the threat. However, the requirement for user interaction (e.g., the admin must be tricked into visiting a malicious page) somewhat limits the attack surface. Still, phishing or social engineering campaigns could facilitate exploitation. The lack of known exploits in the wild suggests limited current active targeting, but the vulnerability remains a latent risk. European hosting providers, managed service providers, and enterprises with externally accessible Plesk panels are particularly at risk.

Implement strict CSRF protections on the Plesk API endpoints, including anti-CSRF tokens and validation of the Origin and Referer headers. Restrict access to the /api/v2/cli/commands endpoint by IP whitelisting or VPN-only access to reduce exposure to external attackers. Enforce multi-factor authentication (MFA) for administrative accounts to mitigate risks from compromised credentials. Educate administrators and users about phishing and social engineering tactics to reduce the likelihood of user interaction leading to exploitation. Regularly monitor and audit administrative actions and API usage logs for suspicious activity indicative of unauthorized password changes. If possible, isolate Plesk management interfaces from public internet access, placing them behind secure gateways or internal networks. Apply any vendor patches or updates promptly once available, and subscribe to Plesk security advisories for timely information. Consider implementing Web Application Firewalls (WAFs) with custom rules to detect and block CSRF attack patterns targeting Plesk APIs.