Question Security Question: Found a "JuicyPotato.php" file in Plesk directory

[hypmen]

Server operating system version

windows server 2022

Plesk version and microupdate number

plesk obsidian 18.0.71

Hello Plesk Team & Community,

I recently discovered a file named JuicyPotato.php in the following directory on our Windows server:C:\Program Files (x86)\Plesk\admin\plib\modules\notifier\library\Notifications\
Given that "JuicyPotato" is a known name for a privilege escalation tool, finding a file with this name is a security concern for us.

I would like to clarify a few things:

1. Is this file a legitimate part of a standard Plesk installation or one of its official modules?
2. If it is a legitimate file, what is its intended purpose and functionality?
3. If this is not an official Plesk file, what is the recommended procedure for its removal and for checking if the system has been otherwise compromised?

Any information or assistance would be greatly appreciated.

Thank you.

P.S
1.Plesk version: plesk obsidian 18.0.71
2.OS: windows server 2022

 

[Sebahat.hadzhi]

Hello, @hypmen . It is legitime file part of Plesk modules (ext-notifier extension) and it is related to the Juicy Potato vulnerability:

• https://support.plesk.com/hc/en-us/...r-2016-are-vulnerable-to-Juicy-Potato-exploit

 

[hypmen]

Hello Manager, thanks for your answer,

Hello, @hypmen . It is legitime file part of Plesk modules (ext-notifier extension) and it is related to the Juicy Potato vulnerability:

• https://support.plesk.com/hc/en-us/...r-2016-are-vulnerable-to-Juicy-Potato-exploit

Thank you, Manager, for your clarification on this security concern.

I have a follow-up question. Could you please clarify under what circumstances, if any, the Plesk system would execute this JuicyPotato.php file? And what would be its intended function when executed?

The reason I ask is that when I tried to inspect the file, its content appears to be encrypted or obfuscated, which prevents me from analyzing its purpose directly. Understanding its potential execution path is crucial for our security assessment.

Thanks again for your assistance.

 

[Sebahat.hadzhi]

I am not entirely sure what specific event would trigger the execution of the file, but since it belongs to ext-notifier that would be something related to Plesk's notification system. The file in question is present on all Plesk Installations. Therefore, I can confidently confirm, it is not an exploit that occurred on your server. Since you are running Windows 2022 and Plesk above 18.0.32, you should not be affected by the vulnerability in the first place. Thus, you can safely ignore it.

 

[hypmen]

I am not entirely sure what specific event would trigger the execution of the file, but since it belongs to ext-notifier that would be something related to Plesk's notification system. The file in question is present on all Plesk Installations. Therefore, I can confidently confirm, it is not an exploit that occurred on your server. Since you are running Windows 2022 and Plesk above 18.0.32, you should not be affected by the vulnerability in the first place. Thus, you can safely ignore it.

Thank you, @Manager, for the detailed and very helpful reply!

I'd also love to hear from other experts or community members on this. If you have any experience or further insights into this topic, please feel free to share them. Looking forward to sparking some new ideas together.

 

[scsa20]

Pretty sure that notification only triggers when it detects an exploit attempt happen utilizing JuicyPotato. Honestly I wouldn't worry about it too much and besides if a hacker did tried to utilized JuicyPotato to exploit your system, they wouldn't be naming it JuicyPotato lol.

 

[hypmen]

Pretty sure that notification only triggers when it detects an exploit attempt happen utilizing JuicyPotato. Honestly I wouldn't worry about it too much and besides if a hacker did tried to utilized JuicyPotato to exploit your system, they wouldn't be naming it JuicyPotato lol.

Got it. So if I understand correctly, you're suggesting that Plesk's "JuicyPotato.php" is essentially a detection tool that looks for privilege escalation attempts using the Juicy Potato exploit?

 

[hypmen]

Hello Plesk Team and Community Manager @Sebahat.hadzhi,

I have observed the following behavior on my Plesk server and would like to confirm if it is a normal and expected action by Plesk.

Based on my logs, it appears that the PleskTaskManager user account executed a scheduled task.
This task involved running the Plesk PHP engine (C:\Program Files (x86)\Plesk\admin\engine\php.exe) to perform a daily extension upgrade (UpgradeExtensions --period=daily).

During this process, a file named JuicyPotato.php was created in the following path: C:\Program Files (x86)\Plesk\admin\plib\modules\notifier-2025-09-17-03-20-53\library\Notifications\JuicyPotato.php

I have the following questions:

1. My Plesk auto-update feature is disabled. Is it expected behavior for the PleskTaskManager to still run a scheduled task to upgrade extensions and create the JuicyPotato.php file under the Notifications module?
2. If this is normal behavior, could you please explain the purpose of this JuicyPotato.php file? Also, how can I verify that this action was indeed an automated system process and not potentially triggered by an attacker?
3. To avoid any potential misunderstanding or security concerns associated with a file named "JuicyPotato," is it safe to delete this file or other seemingly unnecessary notification files?

I would appreciate any clarification you can provide on this matter.

Thank you for your assistance.