CVE-2025-65518
Published: 08 January 2026
Summary
CVE-2025-65518 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Webpros Plesk Obsidian. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-65518 is a Denial of Service (DoS) vulnerability affecting Plesk Obsidian versions 8.0.1 through 18.0.73. The issue resides in the get_password.php endpoint of the web interface, where a crafted request containing a malicious payload triggers continuous reloading of the interface. This renders the Plesk Obsidian service unavailable to legitimate users, classified under CWE-400 (Uncontrolled Resource Consumption) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By sending the malicious request to the get_password.php endpoint, an attacker achieves a persistent availability impact, disrupting access to the Plesk Obsidian web interface for all users.
Mitigation details and patches are documented in official advisories, including Plesk's release notes at http://plesk.com and https://docs.plesk.com/release-notes/obsidian/change-log/, along with further analysis at https://github.com/Jainil-89/CVE-2025-65518/blob/main/cve.md. Security practitioners should consult these resources for update instructions and workarounds.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1436
Vulnerability details
Plesk Obsidian versions 8.0.1 through 18.0.73 are vulnerable to a Denial of Service (DoS) condition. The vulnerability exists in the get_password.php endpoint, where a crafted request containing a malicious payload can cause the affected web interface to continuously reload, rendering…
more
the service unavailable to legitimate users. An attacker can exploit this issue remotely without authentication, resulting in a persistent availability impact on the affected Plesk Obsidian instance.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct mapping to remote exploitation of public-facing web app (get_password.php) causing application-layer DoS via resource exhaustion.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly implements denial-of-service protections to limit or block crafted requests causing continuous reloading and resource exhaustion in the get_password.php endpoint.
Validates malicious payloads in requests to the get_password.php endpoint, preventing uncontrolled resource consumption leading to DoS.
Ensures timely flaw remediation through patching of the specific vulnerability in Plesk Obsidian versions 8.0.1 through 18.0.73 as per official advisories.