CVE-2025-54336 is a critical authentication bypass vulnerability found in Plesk Obsidian version 18.0.70, specifically within the admin/plib/LoginManager.php file. The vulnerability arises from the use of a weak password comparison method in the function _isAdminPasswordValid, which employs a loose equality (==) comparison rather than a strict equality (===). This comparison flaw allows an attacker to exploit PHP's type juggling behavior. If the legitimate admin password begins with the string "0e" followed by digits (e.g., "0e12345"), PHP interprets this string as a floating-point number in scientific notation equal to zero (0.0). Consequently, any other string that also evaluates to 0.0 under PHP's loose comparison, such as "0e0", will be considered equal to the correct password. This enables an attacker to bypass authentication without knowing the actual password, effectively gaining admin access. The vulnerability is classified under CWE-697 (Incorrect Comparison), and has a CVSS v3.1 base score of 9.8, indicating critical severity. The attack vector is network-based with no privileges or user interaction required, and it impacts confidentiality, integrity, and availability fully. No patches or exploits in the wild are currently reported, but the vulnerability's nature makes it highly exploitable and dangerous.

For European organizations using Plesk Obsidian 18.0.70, this vulnerability poses a severe risk. Plesk is widely used for web hosting management, especially among small and medium enterprises and hosting providers. An attacker exploiting this flaw can gain full administrative control over the Plesk panel, allowing them to manipulate hosted websites, access sensitive customer data, deploy malware, or disrupt services. This compromises confidentiality, integrity, and availability of hosted services and data. Given the critical CVSS score and the ease of exploitation without authentication or user interaction, the threat could lead to widespread defacements, data breaches, ransomware deployment, or use of compromised servers as part of botnets. The impact extends to regulatory compliance risks under GDPR due to potential data exposure. Additionally, the lack of patches increases the window of exposure, making timely mitigation essential.

European organizations should immediately audit their Plesk Obsidian installations to identify if version 18.0.70 is in use. Since no official patch is currently available, temporary mitigations include: 1) Restricting access to the Plesk admin interface via network-level controls such as IP whitelisting or VPN-only access to reduce exposure. 2) Implementing multi-factor authentication (MFA) for Plesk admin accounts to add an additional layer of security beyond password checks. 3) Monitoring authentication logs for suspicious login attempts, especially those involving unusual password strings resembling the '0e' pattern. 4) Considering downgrading or upgrading to a Plesk version not affected by this vulnerability once a patch is released. 5) Employing Web Application Firewalls (WAFs) with custom rules to detect and block login attempts exploiting this weakness. 6) Educating administrators about the risk and enforcing strong password policies that avoid vulnerable password patterns starting with '0e'.