We have identified a critical security vulnerability affecting publicly exposed dedicated servers that may allow a malicious actor to remotely control affected servers.
This vulnerability does not permit remote access to, or control of the underlying host machine or operating system.
This issue affects dedicated servers only and is only exploitable when the Remote Control web interface is reachable over TCP.
If you are renting a server from a game server provider, we strongly recommend opening a support ticket and referencing this wiki article.
As a customer, you will not be able to remediate this issue on your own.
Your provider must apply the required mitigation steps on the server instance.
An attacker exploiting this vulnerability may be able to perform the following actions without any prior auth:
Introducing the StarRupture Mod Loader
The SR Mod Loader's Server Utility plugin now blocks this exploit, while still allowing the in-game server manager to be used.
You can find it here: https://github.com/AlienXAXS/StarRupture-ModLoader
At this time, the below method is suitable to prevent exploitation.
Notice: You must use
DSSettings.txtas explained in configuration or your server will never load a save file.
These mitigations intentionally disable the Remote Control / Server Manager web interface. This is expected behaviour.
The exploit is only possible while the Remote Control HTTP interface is exposed over TCP.
-RCWebControlDisable and -RCWebInterfaceDisableDSSettings.txt file, you must create it as explained here7777 (or whichever value is defined by your Port parameter).You will not be able to use the Server Manager after implementing these fixes, this is by design.
If you want to set up the Join Password, you can do so here:
https://starrupture-utilities.com/passwords/
If you see this log entry, it means someone is remotely triggering a server crash.
LogRemoteControl: Warning: Deserialization error: Could not load object ... for property InUserDataClass.
If your log file contains the following elements in the crash stack, your server is being remotely exploited:
StarRuptureServerEOS-Win64-Shipping.exe!FRemoteControlModule::InvokeCall()
StarRuptureServerEOS-Win64-Shipping.exe!FHttpConnection::ProcessRequest()
StarRuptureServerEOS-Win64-Shipping.exe!FHttpConnection::CompleteRead()
StarRuptureServerEOS-Win64-Shipping.exe!FHttpConnection::ContinueRead()
StarRuptureServerEOS-Win64-Shipping.exe!FHttpConnection::BeginRead()
Last Updated: 14th Feb 2026
The following game server providers have been assessed for exposure to the reported vulnerability. Statuses reflect the most current information available as of the date above.
| Provider / Software | Vulnerability Reported | Mitigation Deployed | Notes |
|---|---|---|---|
| 4netplayers | — | 11th Feb 2026 | — |
| AMP Control Panel | 19th Jan 2026 | 19th Jan 2026 | Instances created before these dates must be re-created/updated within AMP |
| BisectHosting | 22nd Jan 2026 | 23rd Jan 2026 | — |
| Citadel Servers | 14th Feb 2026 | 14th Feb 2026 | Host Advised us they have mitigated. |
| CzechChillout | — | 14th Feb 2026 | — |
| Game Host Bros | — | 22nd Jan 2026 | — |
| GG Host | — | 8th Feb 2026 | — |
| GhostCap | — | Late Jan 2026 | — |
| GPortal | 18th Jan 2026 | 20th Jan 2026 | — |
| GTXGaming | — | 7th Feb 2026 | You must enable Patch Vulnerability in the Start.bat area of your account |
| Host-Unlimited | — | 9th Feb 2026 | — |
| Indifferent Broccoli | — | 8th Feb 2026 | — |
| NodeCraft | 7th Feb 2026 | 7th Feb 2026 | Customers must install their own DSSettings.txt or contact support to load their save |
| PingPerfect | 7th Feb 2026 | 9th Feb 2026 | — |
| Pelican | 7th Feb 2026 | 12th Feb 2026 | — |
| Pterdactyl | — | — | Ensure you're using the egg: Protected Egg By SavageCore |
| Provider / Software | Vulnerability Reported | Current Status | Notes |
|---|---|---|---|
| HostHavoc | — | — | — |
| Nitrado | 30th Jan 2026 | 13th Feb 2026 | Some customers have reported they are still vulnerable. You can check yourself here. Do not use this company, they are awful! |
Want your GSP listed here or need to submit a change? Contact alienx via the Offical StarRupture Discord with the current state of mitigation.
CreepyJar have been made aware of this vulnerability and have been sent proof of concept code, pleae do not pester the CreepyJar staff regarding this.