CVE-2025-49618: CWE-402 Transmission of Private Resources into a New Sphere ('Resource Leak') in Plesk Obsidian
In Plesk Obsidian 18.0.69, unauthenticated requests to /login_up.php can reveal an AWS accessKeyId, secretAccessKey, region, and endpoint.
AI Analysis
Technical Summary
CVE-2025-49618 is a medium-severity vulnerability identified in Plesk Obsidian version 18.0.69. The vulnerability arises from improper handling of private resource information, specifically classified under CWE-402, which involves the transmission of private resources into an unintended context, commonly known as a resource leak. In this case, unauthenticated HTTP requests to the endpoint /login_up.php can expose sensitive AWS credentials, including the accessKeyId, secretAccessKey, region, and endpoint details. These credentials are critical for accessing AWS resources and services. The vulnerability does not require any authentication or user interaction, making it remotely exploitable over the network. The CVSS 3.1 base score is 5.8, reflecting a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and a scope change (S:C). The impact is limited to confidentiality (C:L), with no direct impact on integrity or availability. Although no known exploits are currently reported in the wild, the exposure of AWS credentials can lead to unauthorized access to cloud resources, potentially resulting in data breaches, resource misuse, or further lateral attacks within the compromised cloud environment. The vulnerability is specific to Plesk Obsidian 18.0.69, a widely used web hosting control panel, which integrates with cloud services for management and automation tasks. The lack of available patches at the time of reporting increases the urgency for mitigation and monitoring.
Potential Impact
For European organizations using Plesk Obsidian 18.0.69, this vulnerability poses a significant risk to the confidentiality of their AWS cloud credentials. Unauthorized disclosure of AWS access keys can lead to unauthorized access to cloud infrastructure, enabling attackers to exfiltrate sensitive data, deploy malicious workloads, or disrupt services indirectly. Given the widespread adoption of AWS in Europe and the popularity of Plesk as a hosting management tool, organizations could face compliance risks under GDPR if personal data is exposed or compromised. Additionally, the potential misuse of cloud resources could lead to financial losses due to resource abuse or ransom demands. The vulnerability's unauthenticated nature increases the risk of automated scanning and exploitation attempts, especially targeting hosting providers and enterprises relying on Plesk for cloud integration. This could also impact managed service providers (MSPs) who use Plesk to manage multiple client environments, amplifying the scope of potential damage.
Mitigation Recommendations
Immediate mitigation steps include restricting access to the /login_up.php endpoint through network-level controls such as firewall rules or web application firewalls (WAFs) to block unauthenticated requests. Organizations should audit their Plesk installations to identify affected versions and upgrade to a patched version once available from Plesk. In the absence of an official patch, temporarily disabling or restricting the vulnerable endpoint may be necessary. Additionally, organizations should rotate AWS credentials that may have been exposed to prevent unauthorized access. Implementing strict IAM policies with least privilege principles and enabling AWS CloudTrail logging and monitoring can help detect suspicious activities stemming from compromised credentials. Regular security assessments and penetration testing focused on web management interfaces are recommended to identify similar exposure risks. Finally, organizations should monitor threat intelligence feeds for any emerging exploit attempts targeting this vulnerability.
Affected Countries
Germany, United Kingdom, France, Netherlands, Italy, Spain, Poland, Sweden
CVE-2025-49618: CWE-402 Transmission of Private Resources into a New Sphere ('Resource Leak') in Plesk Obsidian
Description
In Plesk Obsidian 18.0.69, unauthenticated requests to /login_up.php can reveal an AWS accessKeyId, secretAccessKey, region, and endpoint.
AI-Powered Analysis
Technical Analysis
CVE-2025-49618 is a medium-severity vulnerability identified in Plesk Obsidian version 18.0.69. The vulnerability arises from improper handling of private resource information, specifically classified under CWE-402, which involves the transmission of private resources into an unintended context, commonly known as a resource leak. In this case, unauthenticated HTTP requests to the endpoint /login_up.php can expose sensitive AWS credentials, including the accessKeyId, secretAccessKey, region, and endpoint details. These credentials are critical for accessing AWS resources and services. The vulnerability does not require any authentication or user interaction, making it remotely exploitable over the network. The CVSS 3.1 base score is 5.8, reflecting a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and a scope change (S:C). The impact is limited to confidentiality (C:L), with no direct impact on integrity or availability. Although no known exploits are currently reported in the wild, the exposure of AWS credentials can lead to unauthorized access to cloud resources, potentially resulting in data breaches, resource misuse, or further lateral attacks within the compromised cloud environment. The vulnerability is specific to Plesk Obsidian 18.0.69, a widely used web hosting control panel, which integrates with cloud services for management and automation tasks. The lack of available patches at the time of reporting increases the urgency for mitigation and monitoring.
Potential Impact
For European organizations using Plesk Obsidian 18.0.69, this vulnerability poses a significant risk to the confidentiality of their AWS cloud credentials. Unauthorized disclosure of AWS access keys can lead to unauthorized access to cloud infrastructure, enabling attackers to exfiltrate sensitive data, deploy malicious workloads, or disrupt services indirectly. Given the widespread adoption of AWS in Europe and the popularity of Plesk as a hosting management tool, organizations could face compliance risks under GDPR if personal data is exposed or compromised. Additionally, the potential misuse of cloud resources could lead to financial losses due to resource abuse or ransom demands. The vulnerability's unauthenticated nature increases the risk of automated scanning and exploitation attempts, especially targeting hosting providers and enterprises relying on Plesk for cloud integration. This could also impact managed service providers (MSPs) who use Plesk to manage multiple client environments, amplifying the scope of potential damage.
Mitigation Recommendations
Immediate mitigation steps include restricting access to the /login_up.php endpoint through network-level controls such as firewall rules or web application firewalls (WAFs) to block unauthenticated requests. Organizations should audit their Plesk installations to identify affected versions and upgrade to a patched version once available from Plesk. In the absence of an official patch, temporarily disabling or restricting the vulnerable endpoint may be necessary. Additionally, organizations should rotate AWS credentials that may have been exposed to prevent unauthorized access. Implementing strict IAM policies with least privilege principles and enabling AWS CloudTrail logging and monitoring can help detect suspicious activities stemming from compromised credentials. Regular security assessments and penetration testing focused on web management interfaces are recommended to identify similar exposure risks. Finally, organizations should monitor threat intelligence feeds for any emerging exploit attempts targeting this vulnerability.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2025-06-07T00:00:00.000Z
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 68667a046f40f0eb72967142
Added to database: 7/3/2025, 12:39:32 PM
Last enriched: 7/3/2025, 12:54:55 PM
Last updated: 7/3/2025, 2:33:33 PM
Views: 3
Related Threats
CVE-2025-52554: CWE-862: Missing Authorization in n8n-io n8n
MediumCVE-2025-53369: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in StarCitizenTools mediawiki-extensions-ShortDescription
HighCVE-2025-53370: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in StarCitizenTools mediawiki-skins-Citizen
HighCVE-2025-34089: CWE-306 Missing Authentication for Critical Function in Aexol Studio Remote for Mac
CriticalCVE-2025-34088: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Artica ST Pandora FMS
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.