Login Sign Up

CVE-2025-69197

6.5 MEDIUM
Authentication Bypass

📋 TL;DR

This vulnerability in Pterodactyl allows attackers to reuse intercepted TOTP 2FA tokens within their 60-second validity window. Users with 2FA enabled are affected, as an attacker who captures a valid token (e.g., via screen sharing) can bypass authentication. The issue occurs because used tokens aren't properly marked as consumed in versions 1.11.11 and below.

💻 Affected Systems

Products:
  • Pterodactyl Panel
Versions: 1.11.11 and below
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations with 2FA enabled for users. The vulnerability exists in the authentication flow.

📦 What is this software?

Panel by Pterodactyl

View all CVEs affecting Panel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Account takeover of any user with 2FA enabled, allowing attackers to gain administrative control over game servers and potentially access sensitive data.

🟠

Likely Case

Targeted account compromise of users whose 2FA tokens are intercepted through social engineering or screen sharing attacks.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, though authentication bypass remains possible.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires intercepting a valid 2FA token (e.g., via screen capture, phishing) and having valid credentials. The 60-second window limits attack opportunities.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.12.0

Vendor Advisory: https://github.com/pterodactyl/panel/security/advisories/GHSA-rgmp-4873-r683

Restart Required: Yes

Instructions:

1. Backup your current installation. 2. Update to version 1.12.0 via the release page. 3. Run database migrations. 4. Restart the panel service.

🔧 Temporary Workarounds

Disable 2FA temporarily

all

Temporarily disable two-factor authentication for all users until patching is complete.

Implement rate limiting

all

Add rate limiting on authentication endpoints to prevent token reuse attempts.

🧯 If You Can't Patch

  • Monitor authentication logs for multiple login attempts with the same token within 60 seconds.
  • Implement network segmentation to limit access to the Pterodactyl panel to trusted networks only.

🔍 How to Verify

Check if Vulnerable:

Check if your Pterodactyl version is 1.11.11 or below and if 2FA is enabled for any users.

Check Version:

Check the panel version in the admin settings or via the web interface.

Verify Fix Applied:

Confirm version is 1.12.0 or higher and test that TOTP tokens cannot be reused within their validity window.

📡 Detection & Monitoring

Log Indicators:

  • Multiple authentication attempts with the same TOTP token within 60 seconds
  • Successful logins from unusual IP addresses shortly after legitimate logins

Network Indicators:

  • Unusual authentication traffic patterns
  • Multiple login requests from different IPs with same credentials

SIEM Query:

source="pterodactyl" AND (event="authentication" AND token_reuse=true) OR (multiple_login_attempts within 60s)

📊 Metadata

CVE ID: CVE-2025-69197
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-287
EPSS Score: 0.04% exploit probability (10.4th percentile)
Published: January 6, 2026
Last Updated: January 12, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-69197, you might also want to check these:

CVE-2024-27767 10.0

CVE-2024-27767 is an authentication bypass vulnerability that allows attackers to gain unauthorized ...

Same vulnerability type (CWE-287)
CVE-2026-24898 10.0

OpenEMR versions before 8.0.0 contain an unauthenticated token disclosure vulnerability in the MedEx...

Same vulnerability type (CWE-287)
CVE-2026-20127 10.0

This critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager al...

Same vulnerability type (CWE-287)