PT-2026-1360 · Unknown · Pterodactyl
Published
2026-01-06
·
Updated
2026-01-17
·
CVE-2025-68954
CVSS v4.0
7.5
High
| Vector | AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Pterodactyl versions prior to 1.12.0
Description
Pterodactyl, a game server management panel, does not terminate existing SFTP connections when a user's access is revoked or their permissions are modified. Specifically, if a user is connected to SFTP at the time their permissions are changed or they are removed from a server instance, their SFTP connection remains active, allowing continued file access despite the revoked permissions. This issue requires a user to be actively connected to SFTP during the permission change or removal to be exploited.
Recommendations
Versions prior to 1.12.0 should be updated to version 1.12.0 or later.
Exploit
Fix
Insufficient Session Expiration
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pterodactyl