PT SWARM researcher Oleg Surnin identified two vulnerabilities in Foundry Virtual Tabletop (Foundry VTT), an online gaming platform developed by Foundry Gaming. If exploited, the issues could lead to remote code execution on a server running Foundry VTT, giving an attacker the ability to take the server offline for extortion, hijack its resources for cryptomining, or use it as a foothold for subsequent attacks. The vendor was notified of the threat in line with the responsible disclosure policy and released a software patch.
Positive Technologies rated the vulnerabilities PT-2025-138 and PT-2025-1391 at 7.1 and 8.4 out of 10 under CVSS v4.0. If exploited, the vulnerabilities could enable an attacker to run malicious code on a Foundry VTT server or escalate privileges to administrator. This could allow the compromised host to be enrolled into a botnet2 used to launch DDoS attacks3. The security flaws could also be exploited to install a cryptominer that would consume substantial memory and power, or to lock server access and extort players for ransom. Users are advised to upgrade to Foundry VTT 13.351 or later as soon as possible to fix the issues.
Foundry VTT is widely used by online gamers. Its official Discord server has around 104,000 members and over 90 dedicated game channels, with roughly 1,500 new users joining each month. The platform's Reddit community draws about 50,000 visitors per week. Based on threat intelligence, Positive Technologies estimates that about 120,000 servers globally may be exposed. The highest concentrations are in the United States (25%), Brazil (12%), Germany (9%), Mexico (8%), and Spain (5%).
1 The vulnerabilities are registered on the dbugs portal, which aggregates data on vulnerabilities in software and hardware from vendors around the world.
2 A botnet is a network of devices infected with malware that allows attackers to remotely access the devices and control them.
3 A DDoS attack floods a server with traffic from multiple sources, overloading it and making the service unavailable. When this happens, legitimate users cannot reach the system, or the service becomes severely degraded and unreliable.
"In Foundry VTT, the administrator is responsible for provisioning a server that meets the technical requirements and for setting up the game. If these vulnerabilities were exploited, administrators would be the first to be impacted. Another at-risk group includes managed hosting providers that offer installation of gaming software and ongoing support for an extra fee. Such organizations typically update the software in a timely manner, but users should still check what version is running and, if needed, request an update to the latest release."
Oleg SurninHead of Mobile Application Security Research at Positive Technologies
In 2025, PT SWARM researchers Oleg Surnin, Alexey Pisarenko, and Alexey Solovyov helped fix vulnerabilities PT-2024-29 to PT-2024-34 in the Passwork password manager, including issues that could lead to code execution and privilege escalation.
To catch vulnerabilities like these during development, teams can use static code analysis tools such as PT Application Inspector. Advanced NTA/NDR systems, such as PT Network Attack Discovery (PT NAD), can spot exploitation attempts, and NGFW platforms such as PT NGFW can stop attacks. The risk of exploitation can be further reduced with a web application firewall like PT Application Firewall, which is also offered in a cloud version called PT Cloud Application Firewall.
For up-to-date security information, visit the dbugs portal, which aggregates vulnerability data and vendor recommendations for software and hardware from vendors around the world.