Login Sign Up

CVE-2023-25152

8.4 HIGH

📋 TL;DR

This vulnerability in Pterodactyl Wings allows attackers with existing server access to create arbitrary files and directories on the host system. This could lead to privilege escalation, unauthorized resource allocation changes, or remote shell access. Only users running affected Wings Daemon versions are impacted.

💻 Affected Systems

Products:
  • Pterodactyl Wings Daemon
Versions: v1.7.x before v1.7.3, v1.11.x before v1.11.3
Operating Systems: Linux (all distributions where Wings runs)
Default Config Vulnerable: ⚠️ Yes
Notes: Requires attacker to have an existing server allocated and controlled by the Wings Daemon. No special configuration needed for exploitation.

📦 What is this software?

Wings by Pterodactyl

View all CVEs affecting Wings →

Wings by Pterodactyl

View all CVEs affecting Wings →

Wings by Pterodactyl

View all CVEs affecting Wings →

Wings by Pterodactyl

View all CVEs affecting Wings →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full control of the host system through SSH key injection, container privilege escalation, and arbitrary file creation leading to complete compromise.

🟠

Likely Case

Attackers modify resource allocations, create unauthorized files, and potentially gain elevated container privileges to execute malicious code.

🟢

If Mitigated

With proper network segmentation and minimal user access, impact is limited to the specific compromised container instance.

🌐 Internet-Facing: HIGH - Wings Daemon often exposes management interfaces that could be targeted by external attackers with initial access.
🏢 Internal Only: MEDIUM - Requires existing server access, but internal attackers could exploit this for lateral movement and privilege escalation.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires existing server access but is straightforward once that access is obtained. The vulnerability is well-documented in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.7.3 for 1.7 series, v1.11.3 for 1.11 series

Vendor Advisory: https://github.com/pterodactyl/wings/security/advisories/GHSA-p8r3-83r8-jwj5

Restart Required: Yes

Instructions:

1. Stop the Wings Daemon service
2. Backup current configuration
3. Download and install the patched version (v1.7.3 or v1.11.3)
4. Restart the Wings Daemon service
5. Verify service is running correctly

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Wings Daemon from critical systems
  • Apply principle of least privilege to all user accounts with server access
  • Monitor for unusual file creation patterns in container host directories

🔍 How to Verify

Check if Vulnerable:

Check Wings Daemon version: wings version. If version is v1.7.0-v1.7.2 or v1.11.0-v1.11.2, system is vulnerable.

Check Version:

wings version

Verify Fix Applied:

After patching, verify wings version shows v1.7.3 or v1.11.3. Test that file creation restrictions are properly enforced.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file creation patterns in container host directories
  • Unauthorized attempts to modify resource allocations
  • Suspicious SSH key modifications in authorized_keys files

Network Indicators:

  • Unexpected outbound connections from Wings-managed containers
  • Unusual API calls to Wings management interface

SIEM Query:

source="wings.log" AND ("file creation" OR "directory creation" OR "resource allocation")

📊 Metadata

CVE ID: CVE-2023-25152
CVSS v3 Score: 8.4 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:H
CWE: CWE-59
Published: February 8, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-25152, you might also want to check these:

CVE-2024-37143 10.0

This CVE describes an Improper Link Resolution Before File Access vulnerability in multiple Dell Pow...

Same vulnerability type (CWE-59)
CVE-2024-28185 10.0

CVE-2024-28185 is a critical symlink vulnerability in Judge0 that allows attackers to write arbitrar...

Same vulnerability type (CWE-59)
CVE-2024-48862 9.8

CVE-2024-48862 is a path traversal vulnerability in QNAP's QuLog Center that allows remote attackers...

Same vulnerability type (CWE-59)