CVE-2025-68954 Overview
CVE-2025-68954 is an Improper Session Expiration vulnerability (CWE-613) in Pterodactyl, a free, open-source game server management panel. Versions 1.11.11 and below fail to revoke active SFTP connections when a user is removed from a server instance or has their file access permissions modified. This allows an already-connected user to maintain their SFTP session and continue accessing files even after administrative action has revoked their permissions.
Critical Impact
Authenticated users with revoked permissions can maintain unauthorized file access to game server data through persistent SFTP connections, bypassing administrative security controls.
Affected Products
- Pterodactyl Panel versions 1.11.11 and below
- Pterodactyl Panel installations using SFTP subuser functionality
- Game server deployments managed through vulnerable Pterodactyl versions
Discovery Timeline
- 2026-01-06 - CVE CVE-2025-68954 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2025-68954
Vulnerability Analysis
This vulnerability stems from an insufficient session management implementation in Pterodactyl's subuser permission system. When administrators remove a user as a subuser or modify their SFTP file access permissions, the panel fails to terminate existing SFTP and WebSocket connections. The attack requires high privileges to initially establish a connection but can be exploited without user interaction once the session is active.
The vulnerability specifically affects the subuser controller and daemon repository components. A malicious user who anticipates permission revocation could intentionally maintain an active SFTP session to retain unauthorized access to server files. This creates a window of exposure where revoked users can continue reading, modifying, or deleting files on managed game servers.
Root Cause
The root cause is an Improper Session Expiration (CWE-613) flaw in the permission revocation workflow. The original implementation did not include a mechanism to signal the daemon to disconnect active sessions when subuser permissions were changed. The SubuserController.php component handled permission updates at the panel level but lacked integration with a session revocation service on the daemon side.
Attack Vector
The attack is network-based and requires the attacker to have high privileges (an existing subuser account with SFTP access). The attacker must be actively connected to SFTP at the exact moment their permissions are revoked. While this requires specific preconditions (attack complexity involves timing), successful exploitation grants full persistence of the previous access level with high impact to confidentiality, integrity, and availability of server files.
An attacker could:
- Establish an SFTP connection to a server where they have subuser access
- Maintain the connection while waiting for permission changes
- Continue accessing files after their permissions have been administratively revoked
- Exfiltrate sensitive configuration files or modify game server data
The security patch introduces a DaemonRevocationRepository to properly disconnect sessions:
use Illuminate\Support\Facades\Log;
use Pterodactyl\Repositories\Eloquent\SubuserRepository;
use Pterodactyl\Services\Subusers\SubuserCreationService;
-use Pterodactyl\Repositories\Wings\DaemonServerRepository;
use Pterodactyl\Transformers\Api\Client\SubuserTransformer;
+use Pterodactyl\Repositories\Wings\DaemonRevocationRepository;
use Pterodactyl\Http\Controllers\Api\Client\ClientApiController;
use Pterodactyl\Exceptions\Http\Connection\DaemonConnectionException;
use Pterodactyl\Http\Requests\Api\Client\Servers\Subusers\GetSubuserRequest;
Source: GitHub Commit 2bd9d8b
Detection Methods for CVE-2025-68954
Indicators of Compromise
- SFTP sessions that persist beyond their expected duration after permission changes
- File access logs showing activity from users no longer listed as subusers
- WebSocket connections maintained after subuser removal events
- Unexpected file modifications on servers where user access was recently revoked
Detection Strategies
- Monitor SFTP connection logs for sessions that remain active after corresponding permission revocation events in the panel
- Correlate panel audit logs (subuser removal/permission changes) with daemon connection logs to identify orphaned sessions
- Implement alerting for file access events from users whose permissions were recently modified
- Review daemon logs for disconnect failures following permission change API calls
Monitoring Recommendations
- Enable verbose logging on both Pterodactyl Panel and Wings daemon components
- Implement session duration monitoring to detect abnormally long SFTP connections
- Set up automated correlation between panel permission events and daemon session states
- Establish baseline metrics for normal SFTP session patterns to identify anomalies
How to Mitigate CVE-2025-68954
Immediate Actions Required
- Upgrade Pterodactyl Panel to version 1.12.0 or later immediately
- Restart the Wings daemon service after upgrading to ensure all active sessions are terminated
- Audit recent subuser permission changes and verify no unauthorized access occurred
- Force disconnect all active SFTP sessions as a precautionary measure during the upgrade window
Patch Information
The vulnerability is fixed in Pterodactyl Panel version 1.12.0. The patch introduces a new DaemonRevocationRepository component that properly signals the Wings daemon to disconnect SFTP and WebSocket connections when subuser permissions are revoked. The fix is available in commit 2bd9d8baddb0e0606e4a9d5be402f48678ac88d5.
For detailed patch information, see:
Workarounds
- Manually restart the Wings daemon service after any subuser permission changes to force-terminate all active connections
- Implement network-level session timeouts for SFTP connections to limit exposure windows
- Temporarily disable SFTP access for all subusers until the patch can be applied
- Use firewall rules to restrict SFTP access to trusted IP ranges only
# Restart Wings daemon to terminate active sessions after permission changes
systemctl restart wings
# Verify no active SFTP connections remain
ss -tnp | grep :2022
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
