NCSC Plesk Advisory

A security researcher has released details of a significant zero day vulnerability in some versions of the Plesk server management software. The code-execution vulnerability affects default versions 8.6, 9.0, 9.2, 9.3, and 9.5.4 of Plesk running on the Linux and FreeBSD operating systems. Windows and other types of Unix have not currently been tested to see if those configurations are vulnerable as well.

Plesk is a control panel that is commonly used to manage servers through a graphic interface. Plesk environments which maintain the versions identified above could be exploited to allow an attacker to compromise and control managed servers by gaining the privileges of authorised users and take control of the affected system.

Trend Micro has published further information on the report which can be found here.

NCSC recommends that, where practical and with the appropriate due diligence, network operators upgrade to a version later than those vulnerable, as later releases are not currently being reported as vulnerable to this specific issue.