What is the CVSS score of CVE-2025-69197?

CVE-2025-69197 has a CVSS 3.1 base score of 6.5 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of Panel are affected by CVE-2025-69197?

Organizations using Pterodactyl should be aware of notable risk from CVE-2025-69197, a improper authentication vulnerability rated CVSS 6.5.. A patch is available.

How to fix or mitigate CVE-2025-69197?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Audit authentication configurations.

Panel CVE-2025-69197

MEDIUM

Improper Authentication (CWE-287)

2026-01-06 security-advisories@github.com

GHSA-rgmp-4873-r683

Authentication Bypass Panel

6.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

6.5 MEDIUM

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

Patch released

Jan 12, 2026 - 21:26 nvd

Patch available

CVE Published

Jan 06, 2026 - 01:16 nvd

MEDIUM 6.5

DescriptionGitHub Advisory

Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below allow TOTP to be used multiple times during its validity window. Users with 2FA enabled are prompted to enter a token during sign-in, and afterward it is not sufficiently marked as used in the system. This allows an attacker who intercepts that token to use it in addition to a known username/password during the 60-second token validity window. The attacker must have intercepted a valid 2FA token (for example, during a screen share). This issue is fixed in version 1.12.0.

AnalysisAI

Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below allow TOTP to be used multiple times during its validity window. [CVSS 6.5 MEDIUM]

Technical ContextAI

Classified as CWE-287 (Improper Authentication). Affects Panel. Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below allow TOTP to be used multiple times during its validity window. Users with 2FA enabled are prompted to enter a token during sign-in, and afterward it is not sufficiently marked as used in the system. This allows an attacker who intercepts that token to use it in addition to a known username/password during the 60-second token validity window. The attacker must have intercepted a valid 2FA token (for exam

RemediationAI

A vendor patch is available — apply it immediately. Fixed in version 1.12.0.. Restrict network access to the affected service where possible.

CVE-2025-69197 vulnerability details – vuln.today

Back

Panel CVE-2025-69197

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code