CVE-2025-49618 is a medium-severity vulnerability identified in Plesk Obsidian version 18.0.69. The vulnerability arises from improper handling of private resource information, specifically classified under CWE-402, which involves the transmission of private resources into an unintended context, commonly known as a resource leak. In this case, unauthenticated HTTP requests to the endpoint /login_up.php can expose sensitive AWS credentials, including the accessKeyId, secretAccessKey, region, and endpoint details. These credentials are critical for accessing AWS resources and services. The vulnerability does not require any authentication or user interaction, making it remotely exploitable over the network. The CVSS 3.1 base score is 5.8, reflecting a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and a scope change (S:C). The impact is limited to confidentiality (C:L), with no direct impact on integrity or availability. Although no known exploits are currently reported in the wild, the exposure of AWS credentials can lead to unauthorized access to cloud resources, potentially resulting in data breaches, resource misuse, or further lateral attacks within the compromised cloud environment. The vulnerability is specific to Plesk Obsidian 18.0.69, a widely used web hosting control panel, which integrates with cloud services for management and automation tasks. The lack of available patches at the time of reporting increases the urgency for mitigation and monitoring.

For European organizations using Plesk Obsidian 18.0.69, this vulnerability poses a significant risk to the confidentiality of their AWS cloud credentials. Unauthorized disclosure of AWS access keys can lead to unauthorized access to cloud infrastructure, enabling attackers to exfiltrate sensitive data, deploy malicious workloads, or disrupt services indirectly. Given the widespread adoption of AWS in Europe and the popularity of Plesk as a hosting management tool, organizations could face compliance risks under GDPR if personal data is exposed or compromised. Additionally, the potential misuse of cloud resources could lead to financial losses due to resource abuse or ransom demands. The vulnerability's unauthenticated nature increases the risk of automated scanning and exploitation attempts, especially targeting hosting providers and enterprises relying on Plesk for cloud integration. This could also impact managed service providers (MSPs) who use Plesk to manage multiple client environments, amplifying the scope of potential damage.

Immediate mitigation steps include restricting access to the /login_up.php endpoint through network-level controls such as firewall rules or web application firewalls (WAFs) to block unauthenticated requests. Organizations should audit their Plesk installations to identify affected versions and upgrade to a patched version once available from Plesk. In the absence of an official patch, temporarily disabling or restricting the vulnerable endpoint may be necessary. Additionally, organizations should rotate AWS credentials that may have been exposed to prevent unauthorized access. Implementing strict IAM policies with least privilege principles and enabling AWS CloudTrail logging and monitoring can help detect suspicious activities stemming from compromised credentials. Regular security assessments and penetration testing focused on web management interfaces are recommended to identify similar exposure risks. Finally, organizations should monitor threat intelligence feeds for any emerging exploit attempts targeting this vulnerability.