Login Sign Up

CVE-2025-68954

5.4 MEDIUM

📋 TL;DR

This vulnerability in Pterodactyl allows users who were actively connected via SFTP to retain file access even after their permissions are revoked. It affects administrators who manage game servers using Pterodactyl versions 1.11.11 and below. The issue occurs specifically when users are connected at the moment their permissions are changed.

💻 Affected Systems

Products:
  • Pterodactyl Panel
Versions: 1.11.11 and below
Operating Systems: All platforms running Pterodactyl
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects SFTP connections active at the time of permission revocation.

📦 What is this software?

Panel by Pterodactyl

View all CVEs affecting Panel →

Wings by Pterodactyl

View all CVEs affecting Wings →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Former users maintain persistent unauthorized access to sensitive server files, potentially leading to data theft, modification, or deletion.

🟠

Likely Case

Users who lose permissions but remain connected can continue accessing files they shouldn't, violating access control policies.

🟢

If Mitigated

With proper monitoring and quick user management, impact is limited to brief unauthorized access windows.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires prior SFTP access and connection persistence during permission changes.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.12.0

Vendor Advisory: https://github.com/pterodactyl/panel/security/advisories/GHSA-8c39-xppg-479c

Restart Required: Yes

Instructions:

1. Backup your Pterodactyl installation and database. 2. Update to version 1.12.0 using the official upgrade guide. 3. Restart the panel and queue worker services. 4. Verify all services are running correctly.

🔧 Temporary Workarounds

Manual SFTP Connection Termination

linux

Manually terminate all active SFTP sessions before or immediately after revoking user permissions.

# Restart SFTP service to drop all connections
sudo systemctl restart pterodactyl-sftp

🧯 If You Can't Patch

  • Monitor and audit all SFTP connections, terminating sessions when permissions change.
  • Implement network-level controls to restrict SFTP access to authorized users only.

🔍 How to Verify

Check if Vulnerable:

Check Pterodactyl version via admin panel or configuration files. Versions 1.11.11 and below are vulnerable.

Check Version:

php artisan p:info | grep 'Panel Version'

Verify Fix Applied:

After updating to 1.12.0, test by creating a user with SFTP access, connecting, revoking permissions, and verifying connection is terminated.

📡 Detection & Monitoring

Log Indicators:

  • SFTP connections persisting after user permission changes
  • Unauthorized file access attempts from previously authorized users

Network Indicators:

  • Unexpected SFTP traffic from users with revoked permissions

SIEM Query:

source="pterodactyl.log" AND ("SFTP" AND "permission" AND "revoke")

📊 Metadata

CVE ID: CVE-2025-68954
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CWE: CWE-613
EPSS Score: 0.03% exploit probability (8.5th percentile)
Published: January 6, 2026
Last Updated: January 12, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68954, you might also want to check these:

CVE-2024-8888 10.0

An attacker on the same network as a vulnerable CIRCUTOR Q-SMT device can steal authentication token...

Same vulnerability type (CWE-613)
CVE-2023-5865 9.8

This vulnerability in phpMyFAQ allows attackers to maintain access to user sessions beyond intended ...

Same vulnerability type (CWE-613)
CVE-2024-25718 9.8

This vulnerability in the Samly package for Elixir allows expired authentication sessions to remain ...

Same vulnerability type (CWE-613)