Skip to main content

CVE-2025-49618: CWE-402 Transmission of Private Resources into a New Sphere ('Resource Leak') in Plesk Obsidian

Medium
VulnerabilityCVE-2025-49618cvecve-2025-49618cwe-402
Published: Thu Jul 03 2025 (07/03/2025, 00:00:00 UTC)
Source: CVE Database V5
Vendor/Project: Plesk
Product: Obsidian

Description

In Plesk Obsidian 18.0.69, unauthenticated requests to /login_up.php can reveal an AWS accessKeyId, secretAccessKey, region, and endpoint.

AI-Powered Analysis

AILast updated: 07/03/2025, 12:54:55 UTC

Technical Analysis

CVE-2025-49618 is a medium-severity vulnerability identified in Plesk Obsidian version 18.0.69. The vulnerability arises from improper handling of private resource information, specifically classified under CWE-402, which involves the transmission of private resources into an unintended context, commonly known as a resource leak. In this case, unauthenticated HTTP requests to the endpoint /login_up.php can expose sensitive AWS credentials, including the accessKeyId, secretAccessKey, region, and endpoint details. These credentials are critical for accessing AWS resources and services. The vulnerability does not require any authentication or user interaction, making it remotely exploitable over the network. The CVSS 3.1 base score is 5.8, reflecting a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and a scope change (S:C). The impact is limited to confidentiality (C:L), with no direct impact on integrity or availability. Although no known exploits are currently reported in the wild, the exposure of AWS credentials can lead to unauthorized access to cloud resources, potentially resulting in data breaches, resource misuse, or further lateral attacks within the compromised cloud environment. The vulnerability is specific to Plesk Obsidian 18.0.69, a widely used web hosting control panel, which integrates with cloud services for management and automation tasks. The lack of available patches at the time of reporting increases the urgency for mitigation and monitoring.

Potential Impact

For European organizations using Plesk Obsidian 18.0.69, this vulnerability poses a significant risk to the confidentiality of their AWS cloud credentials. Unauthorized disclosure of AWS access keys can lead to unauthorized access to cloud infrastructure, enabling attackers to exfiltrate sensitive data, deploy malicious workloads, or disrupt services indirectly. Given the widespread adoption of AWS in Europe and the popularity of Plesk as a hosting management tool, organizations could face compliance risks under GDPR if personal data is exposed or compromised. Additionally, the potential misuse of cloud resources could lead to financial losses due to resource abuse or ransom demands. The vulnerability's unauthenticated nature increases the risk of automated scanning and exploitation attempts, especially targeting hosting providers and enterprises relying on Plesk for cloud integration. This could also impact managed service providers (MSPs) who use Plesk to manage multiple client environments, amplifying the scope of potential damage.

Mitigation Recommendations

Immediate mitigation steps include restricting access to the /login_up.php endpoint through network-level controls such as firewall rules or web application firewalls (WAFs) to block unauthenticated requests. Organizations should audit their Plesk installations to identify affected versions and upgrade to a patched version once available from Plesk. In the absence of an official patch, temporarily disabling or restricting the vulnerable endpoint may be necessary. Additionally, organizations should rotate AWS credentials that may have been exposed to prevent unauthorized access. Implementing strict IAM policies with least privilege principles and enabling AWS CloudTrail logging and monitoring can help detect suspicious activities stemming from compromised credentials. Regular security assessments and penetration testing focused on web management interfaces are recommended to identify similar exposure risks. Finally, organizations should monitor threat intelligence feeds for any emerging exploit attempts targeting this vulnerability.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
mitre
Date Reserved
2025-06-07T00:00:00.000Z
Cvss Version
null
State
PUBLISHED

Threat ID: 68667a046f40f0eb72967142

Added to database: 7/3/2025, 12:39:32 PM

Last enriched: 7/3/2025, 12:54:55 PM

Last updated: 7/3/2025, 2:33:33 PM

Views: 3

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats