A severe security vulnerability has been discovered in Plesk for Linux that could allow users to gain root access on affected servers.
The flaw, tracked as CVE-2025-66430, exists within Plesk’s Password-Protected Directories feature and allows attackers to inject arbitrary data into Apache configuration files.
The vulnerability stems from improper handling of user input within the Password-Protected Directories feature.
By exploiting this flaw, attackers can inject malicious data into the Apache configuration and subsequently execute commands with root privileges.
This represents a critical local privilege escalation vulnerability that poses a significant risk to organizations relying on Plesk for server management.
| CVE ID | Vulnerability Type | Affected Component |
|---|---|---|
| CVE-2025-66430 | Local Privilege Escalation | Password-Protected Directories |
Any Plesk user with access to the Password-Protected Directories feature can exploit this vulnerability to gain unauthorized root-level access.
This allows attackers to execute arbitrary commands with the highest system privileges, potentially leading to complete server compromise, data theft, malware installation, or lateral movement within the network.