Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN857
_____________________________________________________________________

DATE                : 16/12/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Plesk for Linux versions prior
                                to 18.0.73, 18.0.74.

=====================================================================
https://support.plesk.com/hc/en-us/articles/36261922405015--CVE-2025-66430-Security-vulnerability-in-Password-Protected-Directories-allows-Plesk-users-to-gain-root-level-access-to-a-Plesk-server
_____________________________________________________________________

 [CVE-2025-66430] Security vulnerability in Password Protected
Directories allows Plesk users to gain root-level access to a
Plesk server


Pablo Alvarez
Updated December 01, 2025 22:04

Applicable to:

    Plesk for Linux

Situation

A security vulnerability in Plesk’s Password-Protected Directories
feature allowing injection of any data into the Apache configuration
has been discovered. Exploiting this vulnerability allows Plesk
users to execute any commands as the root user. This security
vulnerability has been identified as CVE-2025-66430.

We would like to thank Philip Okhonko for identifying and
responsibly reporting this vulnerability to us.


Impact

Local privilege escalation (LPE) is possible. Any Plesk user
with access to the Password-Protected Directories feature could
gain root-level access on the server.


Call to action

A fix for this problem has been released. Please follow the
appropriate steps for the Plesk version.

Plesk 18.0.73 and 18.0.74

A micro-update was released to these versions (18.0.73.5 and
18.0.74.2).
Update Plesk to install it by following the steps from this
guide:

How to install Plesk updates

Plesk 18.0.70 - 18.0.72    Plesk Onyx


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================