CVE-2025-49618 in Obsidian
Summary
by MITRE • 07/03/2025
In Plesk Obsidian 18.0.69, unauthenticated requests to /login_up.php can reveal an AWS accessKeyId, secretAccessKey, region, and endpoint.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/03/2025
The vulnerability identified as CVE-2025-49618 represents a critical information disclosure flaw within Plesk Obsidian version 18.0.69. This issue arises from insufficient authentication controls on the /login_up.php endpoint, which allows any remote attacker to access sensitive AWS credentials without requiring valid user credentials. The flaw demonstrates a fundamental breakdown in the application's security architecture where privileged information is exposed through an endpoint that should be protected against unauthorized access attempts.
The technical implementation of this vulnerability stems from the application's failure to properly validate incoming requests to the /login_up.php endpoint. When unauthenticated users submit requests to this specific path, the system inadvertently returns AWS credential information including accessKeyId, secretAccessKey, region, and endpoint details. This represents a classic case of improper access control where the application fails to enforce authentication requirements for endpoints that contain sensitive configuration data. The vulnerability aligns with CWE-284 which addresses improper access control, specifically targeting the exposure of sensitive information through insufficient authentication mechanisms.
From an operational impact perspective, this vulnerability creates a severe risk landscape for organizations using Plesk Obsidian 18.0.69. The exposure of AWS credentials provides attackers with direct access to cloud resources that may include databases, storage buckets, compute instances, and other critical infrastructure components. Attackers can leverage these credentials to perform unauthorized actions including data exfiltration, service disruption, privilege escalation, and lateral movement within the cloud environment. The vulnerability essentially provides a backdoor to cloud infrastructure that was previously protected by the assumption that accessKeyId and secretAccessKey were properly secured within the application's configuration files.
The attack surface for this vulnerability extends beyond immediate credential exposure to include potential chain reactions within the cloud infrastructure. According to ATT&CK framework, this vulnerability maps to T1566 (Phishing) and T1078 (Valid Accounts) where attackers can leverage the exposed credentials to establish persistent access to cloud resources. The compromised credentials can be used to perform reconnaissance activities, deploy malicious code, or establish command and control channels within the cloud environment. Organizations may face regulatory compliance violations and significant financial losses when these credentials are misused to access sensitive customer data or corporate intellectual property.
Organizations should implement immediate mitigations including disabling or restricting access to the vulnerable /login_up.php endpoint through web application firewalls, implementing additional authentication layers, and rotating all exposed AWS credentials. The recommended approach involves applying the vendor-provided patch as soon as available, implementing network segmentation to limit access to administrative endpoints, and conducting comprehensive credential audits across all cloud services. Security monitoring should be enhanced to detect unusual patterns of access to administrative endpoints and credential usage patterns that may indicate compromise. Additionally, organizations should review their overall cloud security posture and implement principle of least privilege controls to minimize the impact of credential exposure should similar vulnerabilities be discovered in other components of their infrastructure.