Can you explain this vulnerability to me?

CVE-2025-68954 is a vulnerability in the Pterodactyl game server management panel and its Wings SFTP subsystem where active SFTP connections are not revoked when a user is removed from a server or their permissions are changed. This means that if a user is connected via SFTP at the time their permissions are revoked, they can continue to access files on the server despite no longer having permission. The issue arises because permissions are only checked once during the initial authentication handshake, and not revalidated during the session. This vulnerability affects versions 1.11.11 and below and is fixed in version 1.12.0. [3, 2]

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can allow a user who had legitimate access to a server via SFTP to continue accessing files even after their permissions have been revoked or they have been removed from the server. This unauthorized persistent access could lead to exposure or modification of sensitive files on the server. The attacker must have been connected at the time their permissions were revoked to exploit this. It poses a high impact on confidentiality, integrity, and availability of the affected system's files accessible via SFTP. [3]

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring active SFTP connections on the Wings daemon to identify users who remain connected after their permissions have been revoked or they have been removed as subusers. Since the vulnerability involves active SFTP sessions not being revoked, you can check for persistent SFTP connections from users who should no longer have access. Commands to list active SFTP connections depend on the server environment but generally include commands like `sshd` or `netstat` to identify open SFTP sessions. For example, on the server running Wings, you can use `netstat -tnp | grep sshd` or `ss -tnp | grep sshd` to list active SSH/SFTP connections. Additionally, reviewing Wings logs or using the Wings API endpoint `/api/deauthorize-user` (as introduced in the fix) can help verify if users are properly deauthorized. However, no specific detection commands are provided in the resources. [3, 2]

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade the Pterodactyl Panel and Wings to version 1.12.0 or later, where this vulnerability is fixed. The update introduces a mechanism that forcibly disconnects active SFTP and WebSocket sessions when a user's permissions are revoked or when they are removed as subusers, preventing unauthorized persistent access. Until the upgrade is applied, a temporary workaround is to manually restart the Wings daemon to terminate active SFTP connections for users whose permissions have changed. This will force disconnection of lingering sessions. Additionally, reviewing user permissions and ensuring no unauthorized active connections remain is recommended. [1, 2, 3]

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows users who have had their permissions revoked to maintain active SFTP connections and access files, potentially leading to unauthorized access to sensitive data. Such unauthorized persistent access could violate compliance requirements in standards like GDPR and HIPAA, which mandate strict access controls and timely revocation of user permissions to protect personal and sensitive information. Therefore, failure to revoke active sessions promptly may result in non-compliance with these regulations. [3]

Useful 0 Not Useful 0