Plesk is a control panel used by hosting providers and IT teams to manage websites, databases, email, and server configurations — often for multiple clients on a single server. A successful exploit gives an attacker complete ownership of the server, meaning every website, customer database, email account, and file stored on that host is accessible. For hosting providers, this represents potential exposure of all customer data across every hosted tenant; for enterprises using Plesk for internal web operations, it is a full server compromise with potential for lateral movement into broader infrastructure.
You Are Affected If
You run Plesk on any Linux-based server in your environment, regardless of version, until the patched version is confirmed
The Password Protected Directories feature is enabled in your Plesk installation
Low-privileged or shared Plesk user accounts exist on the server — including hosting customer accounts, reseller accounts, or developer accounts
The Plesk control panel is accessible from the internet or from untrusted network segments
You have not yet applied the patch referenced in Plesk support advisory CVE-2025-66430
Board Talking Points
A critical flaw in Plesk — software used to manage web servers — allows any low-level user to take full control of the server, including all data and applications hosted on it.
The vendor has released a patch; affected servers should be updated within 24 hours, with access to the Plesk control panel restricted to trusted sources in the interim.
Without patching, any user with a Plesk login — including external customers on shared hosting environments — could gain unrestricted access to every system and dataset on the server.
PCI-DSS — if the affected Plesk server hosts payment processing applications or cardholder data environments, a full server compromise constitutes a reportable incident under PCI-DSS Requirement 12.10
GDPR / EU data protection — if the server hosts personal data of EU residents, root-level compromise triggers breach notification obligations under GDPR Article 33
HIPAA — if the server hosts applications processing protected health information (PHI), full server compromise is a reportable breach under the HIPAA Breach Notification Rule
