CVE-2025-65518: Unauthenticated Attack Can Knock Plesk Obsidian Control Panel Offline

Aegiron 8 mins0

CVE Overview

  • CVE ID: CVE-2025-65518
  • Product: Plesk Obsidian (Hosting Control Panel)
  • Vulnerability Type: Unauthenticated Denial-of-Service
  • Impact: Hosting control panel outage / management unavailability
  • Attack Vector: Remote, network-based
  • Authentication Required: None
  • User Interaction: None
  • Exploit Availability: Public proof-of-concept exists
  • Severity: High
  • Primary Impacted CIA Element: Availability

Executive Summary

CVE-2025-65518 is an unauthenticated Denial-of-Service vulnerability affecting the Plesk Obsidian control panel. The issue allows a remote attacker to repeatedly trigger a flawed web endpoint within the Plesk management interface, causing the panel to become unresponsive or continuously reload.

While this vulnerability does not expose customer data or provide administrative access, it directly affects the availability of the hosting control plane. In real-world hosting environments, this can result in operational outages, inability to manage customer services, delayed incident response, and reputational impact.

Because the vulnerability does not require authentication and public demonstration material exists, any Plesk instance exposed to the internet should be considered at risk until properly mitigated or upgraded.

Affected Environment

  • Plesk Obsidian installations where the management interface is reachable over the network
  • Default and custom Plesk management ports (commonly 8443)
  • Systems without strict network access controls or rate-limiting protections

The vulnerability is independent of hosted websites and affects the control panel itself.

Technical Details

The Plesk web interface includes internal PHP endpoints responsible for handling user interface actions, password-related flows, and session-related logic.

In vulnerable builds:

  • A specific endpoint does not properly validate or handle malformed or repeated HTTP requests.
  • When an attacker sends specially crafted or high-frequency requests to this endpoint, the Plesk panel backend enters an unstable state.
  • This may result in:
    • Continuous UI reload loops
    • Worker thread exhaustion
    • Panel service crashes or hangs
    • Excessive CPU and memory usage

Because the endpoint is reachable before authentication, the attacker does not need valid credentials. A single system or a small number of requests can be enough to disrupt availability, depending on server resources and configuration.

Attack Scenario

  1. The attacker identifies an internet-exposed Plesk panel.
  2. They send repeated crafted HTTP requests to a vulnerable panel endpoint.
  3. The panel UI becomes unresponsive or starts reloading indefinitely.
  4. Administrators are locked out of the control panel.
  5. Hosting operations (site management, DNS, email, backups) are disrupted.

No login attempt, brute force, or credential abuse is required.

Proof-of-Concept Status

Public proof-of-concept material demonstrating this behavior has been shared online.

  • The existence of PoC confirms the vulnerability is practically exploitable
  • PoC material should only be used in controlled lab environments for:
    • Detection testing
    • Security research
    • Defensive rule validation

Running PoC code against production systems is strongly discouraged.

MITRE Mapping

MITRE ATT&CK (Enterprise):

  • T1499 – Endpoint Denial of Service

Likely Weakness Classes:

  • CWE-400 – Uncontrolled Resource Consumption
  • CWE-20 – Improper Input Validation

Detection Strategy

Log Sources to Monitor

  • Plesk panel access logs
  • Web server logs (Apache / Nginx) serving the panel
  • WAF / reverse proxy logs
  • Firewall and network traffic logs
  • System logs for Plesk service restarts
  • CPU and memory utilization metrics

Indicators of Exploitation

  • Repeated HTTP requests to panel endpoints such as:
    • /get_password.php
    • Other password or UI-related panel paths
  • High request rates from a single IP or small IP set
  • Sudden spike in 4xx/5xx HTTP responses on the panel
  • Panel service (sw-cp-server) restarting or freezing
  • Administrators reporting endless UI reloads or inability to log in

Example Detection Logic

High-rate access detection

If requests_to_panel_endpoint > 30 per minute from same IP
AND endpoint is unauthenticated
THEN raise alert

Service instability detection

If sw-cp-server restarts more than 2 times in 10 minutes
OR CPU usage spikes immediately after external requests
THEN investigate potential DoS attempt

WAF behavioral rule

  • Alert or block when abnormal request patterns target password-related endpoints
  • Enforce request size and rate thresholds

Immediate Mitigation

  1. Restrict Access to the Plesk Panel
    • Allow only trusted admin IPs or VPN access
    • Block public internet access entirely if possible
  2. Apply Rate Limiting
    • Limit requests per IP to management endpoints
    • Enforce stricter limits on unauthenticated endpoints
  3. Deploy or Tune WAF Rules
    • Monitor and block abusive patterns
    • Log all denied requests for investigation
  4. Network-Level Protections
    • Firewall rules to drop repeated requests
    • Temporary IP blocking for offending sources
  5. Monitoring and Alerting
    • Alert on abnormal request spikes
    • Alert on panel service instability

Long-Term Remediation

The definitive fix for CVE-2025-65518 is to upgrade Plesk Obsidian to the latest vendor-provided version where the vulnerable logic has been corrected.

Official Vendor Upgrade Link

Plesk Obsidian Updates & Security Fixes:
https://www.plesk.com/updates/

Always follow Plesk’s official upgrade procedure and test updates in staging environments when possible.

Post-Patch Validation

After upgrading:

  • Confirm panel UI stability
  • Verify logs show no repeated endpoint abuse
  • Remove temporary emergency firewall blocks cautiously
  • Keep access restrictions in place where feasible

Risk Assessment Summary

FactorRisk
Authentication RequiredNone
Network ExposureHigh if panel is public
Exploit MaturityPublic PoC available
Business ImpactOperational outage
Data ExposureNone confirmed

Final Takeaway

  • This vulnerability does not lead to data theft or privilege escalation, but its operational impact can be severe in hosting environments.
  • Publicly accessible Plesk panels should always be treated as high-value attack surfaces.
  • Restricting access and maintaining timely updates significantly reduces risk.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.