CVE-2025-49618

Summary

In Plesk Obsidian 18.0.69, unauthenticated requests to /login_up.php can reveal an AWS accessKeyId, secretAccessKey, region, and endpoint.

Affected Software

VendorProductVersion RangeStatus
PleskObsidian18.0.69affected

Weaknesses

  • CWE-402: CWE-402 Transmission of Private Resources into a New Sphere ('Resource Leak')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References