Hello Plesk Team & Community,
I recently discovered a file named JuicyPotato.php in the following directory on our Windows server:C:\Program Files (x86)\Plesk\admin\plib\modules\notifier\library\Notifications\
Given that "JuicyPotato" is a known name for a privilege escalation tool, finding a file with this name is a security concern for us.
I would like to clarify a few things:
Is this file a legitimate part of a standard Plesk installation or one of its official modules?
If it is a legitimate file, what is its intended purpose and functionality?
If this is not an official Plesk file, what is the recommended procedure for its removal and for checking if the system has been otherwise compromised?
Any information or assistance would be greatly appreciated.
Thank you.
Server operating system version windows server 2022
Plesk version and microupdate number plesk obsidian 18.0.71
I recently discovered a file named JuicyPotato.php in the following directory on our Windows server:C:\Program Files (x86)\Plesk\admin\plib\modules\notifier\library\Notifications\
Given that "JuicyPotato" is a known name for a privilege escalation tool, finding a file with this name is a security concern for us.
I would like to clarify a few things:
Is this file a legitimate part of a standard Plesk installation or one of its official modules?
If it is a legitimate file, what is its intended purpose and functionality?
If this is not an official Plesk file, what is the recommended procedure for its removal and for checking if the system has been otherwise compromised?
Any information or assistance would be greatly appreciated.
Thank you.
Server operating system version windows server 2022
Plesk version and microupdate number plesk obsidian 18.0.71
Hello @Sebahat.hadzhi,
I have observed the following behavior on my Plesk server and would like to confirm if it is a normal and expected action by Plesk.
Based on my logs, it appears that the PleskTaskManager user account executed a scheduled task.
This task involved running the Plesk PHP engine (C:\Program Files (x86)\Plesk\admin\engine\php.exe) to perform a daily extension upgrade (UpgradeExtensions --period=daily).
During this process, a file named JuicyPotato.php was created in the following path: C:\Program Files (x86)\Plesk\admin\plib\modules\notifier-2025-09-17-03-20-53\library\Notifications\JuicyPotato.php
I have observed the following behavior on my Plesk server and would like to confirm if it is a normal and expected action by Plesk.
Based on my logs, it appears that the PleskTaskManager user account executed a scheduled task.
This task involved running the Plesk PHP engine (C:\Program Files (x86)\Plesk\admin\engine\php.exe) to perform a daily extension upgrade (UpgradeExtensions --period=daily).
During this process, a file named JuicyPotato.php was created in the following path: C:\Program Files (x86)\Plesk\admin\plib\modules\notifier-2025-09-17-03-20-53\library\Notifications\JuicyPotato.php
Pretty sure that notification only triggers when it detects an exploit attempt happen utilizing JuicyPotato. Honestly I wouldn't worry about it too much and besides if a hacker did tried to utilized JuicyPotato to exploit your system, they wouldn't be naming it JuicyPotato lol.
Got it. So if I understand correctly, you're suggesting that Plesk's "JuicyPotato.php" is essentially a detection tool that looks for privilege escalation attempts using the Juicy Potato exploit?
I am not entirely sure what specific event would trigger the execution of the file, but since it belongs to ext-notifier that would be something related to Plesk's notification system. The file in question is present on all Plesk Installations. Therefore, I can confidently confirm, it is not an exploit that occurred on your server. Since you are running Windows 2022 and Plesk above 18.0.32, you should not be affected by the vulnerability in the first place. Thus, you can safely ignore it.
Thank you, for the detailed and very helpful reply!
I'd also love to hear from other experts or community members on this. If you have any experience or further insights into this topic, please feel free to share them. Looking forward to sparking some new ideas together.
I am not entirely sure what specific event would trigger the execution of the file, but since it belongs to ext-notifier that would be something related to Plesk's notification system. The file in question is present on all Plesk Installations. Therefore, I can confidently confirm, it is not an exploit that occurred on your server. Since you are running Windows 2022 and Plesk above 18.0.32, you should not be affected by the vulnerability in the first place. Thus, you can safely ignore it.
Hello, @hypmen . It is legitime file part of Plesk modules (ext-notifier extension) and it is related to the Juicy Potato vulnerability:
https://support.plesk.com/hc/en-us/...r-2016-are-vulnerable-to-Juicy-Potato-exploit
Thank you, for your clarification on this security concern.
I have a follow-up question. Could you please clarify under what circumstances, if any, the Plesk system would execute this JuicyPotato.php file? And what would be its intended function when executed?
The reason I ask is that when I tried to inspect the file, its content appears to be encrypted or obfuscated, which prevents me from analyzing its purpose directly. Understanding its potential execution path is crucial for our security assessment.
Thanks again for your assistance.
Hello, @hypmen . It is legitime file part of Plesk modules (ext-notifier extension) and it is related to the Juicy Potato vulnerability:
https://support.plesk.com/hc/en-us/...r-2016-are-vulnerable-to-Juicy-Potato-exploit
https://support.plesk.com/hc/en-us/...r-2016-are-vulnerable-to-Juicy-Potato-exploit
- Page :
- 1
There are no replies made for this post yet.