In Plesk Obsidian 18.0.70, _isAdminPasswordValid uses an == comparison. Thus, if the correct password is "0e" followed by any digit string, then an attacker can login with any other string that evaluates to 0.0 (such as the 0e0 string). This occurs in admin/plib/LoginManager.php.
PHP using the '==' (loose comparison) operator compares strings in a typically type-independent manner — if both strings have the scientific format '0e[digits]', they are treated as floating-point numbers equal to 0.0. If the administrator password starts with '0e' and is followed by a string of digits (so-called magic hash), then any other string with the same property (e.g., '0e0') will be considered identical. The error is located in the file admin/plib/LoginManager.php in the _isAdminPasswordValid method.
A remote attacker, without any authentication, can gain full administrative access to the Plesk panel, leading to complete takeover of the hosting server — including reading and modifying data, managing domains, and potential code execution.
Apply patches available from the vendor according to the references (https://support.plesk.com/hc/en-us/articles/33785727869847-Vulnerability-CVE-2025-54336). As an immediate workaround, immediately change the administrator password to one that does not have the form '0e[digits]', and monitor login logs for unauthorized access attempts.
Plesk Obsidian version 18.0.70 — the vulnerability affects only installations where the administrator password has the form of a 'magic hash' (starts with '0e' and is followed by a string of digits).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H