Cyber Resilience

CVE-2025-65518

HighDDoS

Published: 08 January 2026

Published
08 January 2026
Modified
30 January 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0004 12.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-65518 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Webpros Plesk Obsidian. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-65518 is a Denial of Service (DoS) vulnerability affecting Plesk Obsidian versions 8.0.1 through 18.0.73. The issue resides in the get_password.php endpoint of the web interface, where a crafted request containing a malicious payload triggers continuous reloading of the interface. This renders the Plesk Obsidian service unavailable to legitimate users, classified under CWE-400 (Uncontrolled Resource Consumption) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By sending the malicious request to the get_password.php endpoint, an attacker achieves a persistent availability impact, disrupting access to the Plesk Obsidian web interface for all users.

Mitigation details and patches are documented in official advisories, including Plesk's release notes at http://plesk.com and https://docs.plesk.com/release-notes/obsidian/change-log/, along with further analysis at https://github.com/Jainil-89/CVE-2025-65518/blob/main/cve.md. Security practitioners should consult these resources for update instructions and workarounds.

EU & UK References

Vulnerability details

Plesk Obsidian versions 8.0.1 through 18.0.73 are vulnerable to a Denial of Service (DoS) condition. The vulnerability exists in the get_password.php endpoint, where a crafted request containing a malicious payload can cause the affected web interface to continuously reload, rendering…

more

the service unavailable to legitimate users. An attacker can exploit this issue remotely without authentication, resulting in a persistent availability impact on the affected Plesk Obsidian instance.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Direct mapping to remote exploitation of public-facing web app (get_password.php) causing application-layer DoS via resource exhaustion.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-39304Shared CWE-400
CVE-2025-27669Shared CWE-400
CVE-2026-21637Shared CWE-400
CVE-2026-27888Shared CWE-400
CVE-2025-59472Shared CWE-400
CVE-2025-40944Shared CWE-400
CVE-2025-24269Shared CWE-400
CVE-2026-46829Shared CWE-400
CVE-2026-25819Shared CWE-400
CVE-2025-59464Shared CWE-400

Affected Assets

webpros
plesk obsidian
8.0.1 — 18.0.73

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly implements denial-of-service protections to limit or block crafted requests causing continuous reloading and resource exhaustion in the get_password.php endpoint.

prevent

Validates malicious payloads in requests to the get_password.php endpoint, preventing uncontrolled resource consumption leading to DoS.

prevent

Ensures timely flaw remediation through patching of the specific vulnerability in Plesk Obsidian versions 8.0.1 through 18.0.73 as per official advisories.

References