CVE-2025-69197
Unknown Unknown - Not Provided
Replay Vulnerability in Pterodactyl 2FA Allows Unauthorized Access

Publication date: 2026-01-06

Last updated on: 2026-01-06

Assigner: GitHub, Inc.

Description
Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below allow TOTP to be used multiple times during its validity window. Users with 2FA enabled are prompted to enter a token during sign-in, and afterward it is not sufficiently marked as used in the system. This allows an attacker who intercepts that token to use it in addition to a known username/password during the 60-second token validity window. The attacker must have intercepted a valid 2FA token (for example, during a screen share). This issue is fixed in version 1.12.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-06
Last Modified
2026-01-06
Generated
2026-06-16
AI Q&A
2026-01-06
EPSS Evaluated
2026-06-14
NVD
CVE-2025-69197
EUVD
EUVD-2026-1040
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
pterodactyl panel 1.12.0
pterodactyl panel to 1.12.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-294 A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects the Pterodactyl game server management panel versions 1.11.11 and below. It involves the two-factor authentication (2FA) system using Time-based One-Time Passwords (TOTP). Normally, a TOTP token should only be used once during its validity window (about 60 seconds). However, due to improper handling, the system does not mark a token as used after login, allowing an attacker who has intercepted a valid token (for example, during a screen share) and knows the username and password to reuse that token within its validity period to authenticate successfully. This flaw is classified as improper authentication and was fixed in version 1.12.0. [1]

Impact Analysis

This vulnerability can impact you by allowing unauthorized access to your Pterodactyl panel account if an attacker intercepts a valid TOTP token and already knows your username and password. The attacker can reuse the intercepted token within its 60-second validity window to bypass the 2FA protection, compromising the confidentiality of your account. However, it does not affect data integrity or availability. [1]

Detection Guidance

This vulnerability involves the reuse of TOTP tokens during 2FA in Pterodactyl panel versions 1.11.11 and below. Detection can focus on monitoring authentication logs for multiple successful logins using the same TOTP token within its 60-second validity window. Since the system does not mark tokens as used, repeated use of identical TOTP tokens in a short timeframe may indicate exploitation. Specific commands depend on your logging setup, but generally, you can search authentication logs for repeated TOTP token usage or suspicious login patterns. For example, using grep or similar tools to search logs for repeated 2FA token entries or unusual login timestamps. However, no exact commands are provided in the resources. [1]

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade the Pterodactyl panel to version 1.12.0 or later, where the issue is fixed. The fix includes enhanced TOTP verification that prevents token reuse by tracking the timestamp of the last successful TOTP authentication and rejecting older tokens. Additionally, ensure that 2FA settings are properly managed so that toggling 2FA resets authentication timestamps, and monitor for any suspicious login activity. Applying the official patch or update is the most effective mitigation. [1, 2]

Compliance Impact

This vulnerability allows an attacker who intercepts a valid 2FA token to reuse it within its validity window, potentially leading to unauthorized access to user accounts. Such unauthorized access can compromise the confidentiality of sensitive data, which may impact compliance with standards and regulations like GDPR and HIPAA that require protection of personal and sensitive information. Therefore, the vulnerability poses a risk to maintaining compliance with these regulations by weakening the effectiveness of two-factor authentication controls. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-69197. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart